phorphiex | dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Size

37KB
MD5

635a58029ce832a74876c3ffec0c3acf
SHA1

bb00046e17cb65703a4435d6e30df21d7a185159
SHA256

dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764
SHA512

50186fa0f438b2d74716df89374b6f2106b7ec6d600ed62dd45bd7c6fd8875150e794d329dcebb755dc30bd21c386dd792d8fa6d3868408e26eb66142c43c7b0
SSDEEP

768:lRrgLWAeXOMhbcqnLPsJLWRvdgLoeSxLNLDWVTv4bBOaec8LPXa:3GeXOFqn7Qevd3e+taz4fec8zK

Score

10^/10

phorphiex discovery evasion loader trojan worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe:*:enabled:@shell32.dll,-1"	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e5b4-11.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	4740	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 620	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	5
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 680	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	7
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 788	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	8
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 792	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	9
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 804	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	10
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 912	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	11
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 964	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	12
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 376	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	13
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 512	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	14
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 424	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	15
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16
PID 4740 wrote to memory of 1056	4740	dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3172
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3844
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3940
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4008
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1040
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3512
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2292
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2940
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1924
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4764
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1220
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2496
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2808
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2144

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2852

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe
  "C:\Users\Admin\AppData\Local\Temp\dff97ccdcd4842d8690b0530e0b98643a0c6b84a3b2aa30222784b807642a764.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1756
    3⤵
    - Program crash
    PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3240

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\tdrpl[1].exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
memory/4740-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4740-1-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4740-4-0x0000000077C43000-0x0000000077C44000-memory.dmp

Filesize
4KB

Download
memory/4740-3-0x0000000077C42000-0x0000000077C43000-memory.dmp

Filesize
4KB

Download
memory/4740-2-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4740-18-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download