cybergate | 9e186b93ad3a75a089b46f6db7758939409217f07fbb2bc6b5a73b375ec2d83a

Modify Registry

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc6829105ee05da14500e16d90a553b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	dc6829105ee05da14500e16d90a553b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc6829105ee05da14500e16d90a553b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	dc6829105ee05da14500e16d90a553b4.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

dc6829105ee05da14500e16d90a553b4.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	dc6829105ee05da14500e16d90a553b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	dc6829105ee05da14500e16d90a553b4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	dc6829105ee05da14500e16d90a553b4.exe

Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

3600 windows.exe

pid	process
3600	windows.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3040-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3040-64-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4660-69-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4660-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
\??\c:\windows\SysWOW64\microsoft\windows.exe	upx
behavioral2/memory/5040-80-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3040-93-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3040-141-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/5040-140-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3600-478-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/4660-475-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4660-492-0x0000000031C10000-0x0000000031C1D000-memory.dmp	upx
behavioral2/memory/3600-525-0x0000000031C30000-0x0000000031C3D000-memory.dmp	upx
behavioral2/memory/5040-559-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3732-560-0x0000000031C60000-0x0000000031C6D000-memory.dmp	upx
behavioral2/memory/3732-583-0x0000000031C60000-0x0000000031C6D000-memory.dmp	upx
behavioral2/memory/3600-589-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3600-590-0x0000000031C30000-0x0000000031C3D000-memory.dmp	upx
behavioral2/memory/4660-603-0x0000000031C10000-0x0000000031C1D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\microsoft\\windows.exe"	dc6829105ee05da14500e16d90a553b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\microsoft\\windows.exe"	dc6829105ee05da14500e16d90a553b4.exe

Drops file in System32 directory 4 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exedc6829105ee05da14500e16d90a553b4.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	dc6829105ee05da14500e16d90a553b4.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	dc6829105ee05da14500e16d90a553b4.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	dc6829105ee05da14500e16d90a553b4.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\	dc6829105ee05da14500e16d90a553b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3732 3600 WerFault.exe windows.exe

pid	pid_target	process	target process
3732	3600	WerFault.exe	windows.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies registry class 1 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dc6829105ee05da14500e16d90a553b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exedc6829105ee05da14500e16d90a553b4.exeWerFault.exe

pid	process
3040	dc6829105ee05da14500e16d90a553b4.exe
3040	dc6829105ee05da14500e16d90a553b4.exe
3040	dc6829105ee05da14500e16d90a553b4.exe
3040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
3732	WerFault.exe
3732	WerFault.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe
5040	dc6829105ee05da14500e16d90a553b4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exe

pid process

5040 dc6829105ee05da14500e16d90a553b4.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description pid process

Token: SeDebugPrivilege 5040 dc6829105ee05da14500e16d90a553b4.exe
Token: SeDebugPrivilege 5040 dc6829105ee05da14500e16d90a553b4.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exe

pid process

3040 dc6829105ee05da14500e16d90a553b4.exe

pid	process
5040	dc6829105ee05da14500e16d90a553b4.exe

description	pid	process
Token: SeDebugPrivilege	5040	dc6829105ee05da14500e16d90a553b4.exe
Token: SeDebugPrivilege	5040	dc6829105ee05da14500e16d90a553b4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc6829105ee05da14500e16d90a553b4.exe

description	pid	process	target process
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE
PID 3040 wrote to memory of 3420	3040	dc6829105ee05da14500e16d90a553b4.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1016

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:1300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:5092

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:2124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4388

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:404

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:3912

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:4436

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
2⤵
PID:4104

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:1184

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:1456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3952

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:3160

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:1500

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:3664

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:3208

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:2172

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:1120

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:1888

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:2704

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
2⤵
PID:4412

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:556

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1168

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2508

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\dc6829105ee05da14500e16d90a553b4.exe
"C:\Users\Admin\AppData\Local\Temp\dc6829105ee05da14500e16d90a553b4.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
PID:4660

C:\Users\Admin\AppData\Local\Temp\dc6829105ee05da14500e16d90a553b4.exe
"C:\Users\Admin\AppData\Local\Temp\dc6829105ee05da14500e16d90a553b4.exe"
3⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\windows\SysWOW64\microsoft\windows.exe
"C:\windows\system32\microsoft\windows.exe"
4⤵
- Executes dropped EXE
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 564
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1856

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3600 -ip 3600
2⤵
PID:1812

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe bc72aa9359b82a56f037568d30530dea UF5FoR8KL0yi3chISC6WSw.0.1.0.0.0
1⤵
PID:1220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1388

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery