Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 06:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe
-
Size
992KB
-
MD5
245e85a3803b4a0bcd4a5b09759b8dd3
-
SHA1
6c8814a17c21f66c43be206368657cc179ee67a1
-
SHA256
e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b
-
SHA512
227e193dab3d01f0cffffeb4cb2a38ca8ea357245a5b92cb3b829beb5d8eb7376f14784014be73077ffe72603e4b0397ff9c906d475c2232eb2944965dabf1c1
-
SSDEEP
12288:lzAHg+1yahuV0voyd0gP8YtNmdDWtGnYoa3qkmO/UQ/7MVjzXmhQOE4Ro:FYghWuyvV0W3KWcnYoU3/P/gVjzWhjR
Score
7/10
Malware Config
Signatures
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00F9834A8C1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451290704772" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451367208969" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451400021641" svchost.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451338771680" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451401740509" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451592834320" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451906896403" svchost.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451334709634" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451395490333" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451399397462" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451595021750" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451905490598" svchost.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133766451323459350" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133766451365177929" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeTcbPrivilege 800 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeSystemtimePrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeUndockPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeSystemtimePrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeUndockPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeSystemtimePrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeUndockPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeSystemtimePrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeUndockPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3412 wrote to memory of 800 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 10 PID 3412 wrote to memory of 904 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 11 PID 3412 wrote to memory of 952 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 12 PID 3412 wrote to memory of 528 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 14 PID 3412 wrote to memory of 1028 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 15 PID 3412 wrote to memory of 1036 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 16 PID 3412 wrote to memory of 1076 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 17 PID 3412 wrote to memory of 1096 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 18 PID 3412 wrote to memory of 1144 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 19 PID 3412 wrote to memory of 1172 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 20 PID 3412 wrote to memory of 1280 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 21 PID 3412 wrote to memory of 1300 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 22 PID 3412 wrote to memory of 1356 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 23 PID 3412 wrote to memory of 1420 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 24 PID 3412 wrote to memory of 1432 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 25 PID 3412 wrote to memory of 1584 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 26 PID 3412 wrote to memory of 1592 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 27 PID 3412 wrote to memory of 1668 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 28 PID 3412 wrote to memory of 1732 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 29 PID 3412 wrote to memory of 1776 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 30 PID 3412 wrote to memory of 1824 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 31 PID 3412 wrote to memory of 1916 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 32 PID 3412 wrote to memory of 2028 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 33 PID 3412 wrote to memory of 2044 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 34 PID 3412 wrote to memory of 1660 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 35 PID 3412 wrote to memory of 1932 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 36 PID 3412 wrote to memory of 2060 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 37 PID 3412 wrote to memory of 2180 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 39 PID 3412 wrote to memory of 2240 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 40 PID 3412 wrote to memory of 2400 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 41 PID 3412 wrote to memory of 2500 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 42 PID 3412 wrote to memory of 2508 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 43 PID 3412 wrote to memory of 2672 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 44 PID 3412 wrote to memory of 2768 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 46 PID 3412 wrote to memory of 2784 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 47 PID 3412 wrote to memory of 2880 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 50 PID 3412 wrote to memory of 2896 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 51 PID 3412 wrote to memory of 2916 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 52 PID 3412 wrote to memory of 3424 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 55 PID 3412 wrote to memory of 3652 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 57 PID 3412 wrote to memory of 4924 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 65 PID 3412 wrote to memory of 2912 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 66 PID 3412 wrote to memory of 1624 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 68 PID 3412 wrote to memory of 3236 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 69 PID 3412 wrote to memory of 3768 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 71 PID 3412 wrote to memory of 4184 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 74 PID 3412 wrote to memory of 800 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 10 PID 3412 wrote to memory of 904 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 11 PID 3412 wrote to memory of 952 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 12 PID 3412 wrote to memory of 528 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 14 PID 3412 wrote to memory of 1028 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 15 PID 3412 wrote to memory of 1036 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 16 PID 3412 wrote to memory of 1076 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 17 PID 3412 wrote to memory of 1096 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 18 PID 3412 wrote to memory of 1144 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 19 PID 3412 wrote to memory of 1172 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 20 PID 3412 wrote to memory of 1280 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 21 PID 3412 wrote to memory of 1300 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 22 PID 3412 wrote to memory of 1356 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 23 PID 3412 wrote to memory of 1420 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 24 PID 3412 wrote to memory of 1432 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 25 PID 3412 wrote to memory of 1584 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 26 PID 3412 wrote to memory of 1592 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 27 PID 3412 wrote to memory of 1668 3412 e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe 28
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:7496
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:7596
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:10304
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:13024
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:13056
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:13368
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:32312
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding2⤵PID:42752
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:61632
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1584
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2180
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2240
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe"C:\Users\Admin\AppData\Local\Temp\e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:7476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:12972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b.exe
Filesize992KB
MD5245e85a3803b4a0bcd4a5b09759b8dd3
SHA16c8814a17c21f66c43be206368657cc179ee67a1
SHA256e026cb1d0c332e89db275cb72ddedad2ddd2463ff8ceb73bc1a403460570407b
SHA512227e193dab3d01f0cffffeb4cb2a38ca8ea357245a5b92cb3b829beb5d8eb7376f14784014be73077ffe72603e4b0397ff9c906d475c2232eb2944965dabf1c1
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD547f71d0f4116da92e546779278b5b97f
SHA16ebf778a8aa7fa8141ebf3f1b2cd7ebf9e2ad203
SHA25653be46cc955ff6f5f7bf17e124923db7a6cbbb54e8846c0f565de70bc8dc2ffe
SHA512859971cdb735034ef2ee88ab627782bce003a91af575976fe91607131d8b755ece60e742316c4fd71c6d475759984f79d374dc0d07231d1e4ac83f00b758d24b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD50f778f8c3ef722ec75364e1a62bcf27c
SHA1076e0e9657ec1b609d0df15d6340c51b12d12dd5
SHA256268c29d762fadcd485c78e300a11142f223a38a609738b97be35ee15f39f8b3a
SHA512355ded7a2eaddf79a29aa6e609e3563bc2f0007d1269d1f7a2a4294c9fb92d3cf03a98e1b26fc5fed599b36d5520aae16e557e64d6f95171f8ec36f1cddb4337