1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Size

520KB
MD5

076c7da6fcc1e6083ceaaf2e1e49209e
SHA1

0bee2b5aedb3efa5f90784d51bfc12f374e68901
SHA256

1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3
SHA512

89fc33bb6fa8c87b2a4661b7fd7df67997bd5b1e9a9accd04562a51e53305a77b3f261326af5234c3ecc923e550317e983d60db56f4417cafa842613b0191581
SSDEEP

6144:54vGmGaK6jSJybBlB9/g1/A5afkwLz7oJzF2+jDxXnRVFaZL+nMC+Qg/raBCDor+:54+3TEBCwqLz760s3TFC2+/raB

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}\StubPath = "C:\\Windows\\system32\\Spy-Net\\server.exe Restart"	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-57-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-59-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-60-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-64-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-65-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-66-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-68-0x0000000010410000-0x0000000010446000-memory.dmp	upx
behavioral1/memory/1528-72-0x00000000001F0000-0x00000000001FD000-memory.dmp	upx
behavioral1/memory/1528-76-0x0000000000200000-0x000000000020D000-memory.dmp	upx
behavioral1/memory/1528-80-0x0000000010450000-0x000000001045D000-memory.dmp	upx
behavioral1/memory/1528-86-0x0000000010460000-0x000000001046D000-memory.dmp	upx
behavioral1/memory/1528-92-0x0000000010470000-0x000000001047D000-memory.dmp	upx
behavioral1/memory/1528-98-0x0000000010480000-0x000000001048D000-memory.dmp	upx
behavioral1/memory/1528-104-0x0000000010490000-0x000000001049D000-memory.dmp	upx
behavioral1/memory/1528-110-0x00000000104A0000-0x00000000104AD000-memory.dmp	upx
behavioral1/memory/1528-116-0x00000000104B0000-0x00000000104BD000-memory.dmp	upx
behavioral1/memory/1528-122-0x00000000104C0000-0x00000000104CD000-memory.dmp	upx
behavioral1/memory/1528-128-0x00000000104D0000-0x00000000104DD000-memory.dmp	upx
behavioral1/memory/1528-134-0x00000000104E0000-0x00000000104ED000-memory.dmp	upx
behavioral1/memory/1528-187-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1528-227-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/824-228-0x00000000105C0000-0x00000000105F6000-memory.dmp	upx
behavioral1/memory/824-229-0x00000000105C0000-0x00000000105F6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spy-Net = "C:\\Windows\\system32\\Spy-Net\\server.exe"	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Spy-Net\server.exe	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\server.exe	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\plugin.dat	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
File opened for modification	C:\Windows\SysWOW64\Spy-Net\	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
Token: SeDebugPrivilege	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1456 wrote to memory of 1528	1456	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	26
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27
PID 1528 wrote to memory of 1328	1528	1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe	27

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1308
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:456
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1100
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1228
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:876
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:852
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:364
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
  "C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
    C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
      C:\Users\Admin\AppData\Local\Temp\1b5154311ce89a88747d745157c84e3b9cd12eaf612e030d87220271a9fa75c3.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      PID:824

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-83-0x0000000010450000-0x000000001045D000-memory.dmp

Filesize
52KB

Download
memory/824-229-0x00000000105C0000-0x00000000105F6000-memory.dmp

Filesize
216KB

Download
memory/824-228-0x00000000105C0000-0x00000000105F6000-memory.dmp

Filesize
216KB

Download
memory/824-219-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1456-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-86-0x0000000010460000-0x000000001046D000-memory.dmp

Filesize
52KB

Download
memory/1528-104-0x0000000010490000-0x000000001049D000-memory.dmp

Filesize
52KB

Download
memory/1528-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-68-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/1528-72-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/1528-76-0x0000000000200000-0x000000000020D000-memory.dmp

Filesize
52KB

Download
memory/1528-80-0x0000000010450000-0x000000001045D000-memory.dmp

Filesize
52KB

Download
memory/1528-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-92-0x0000000010470000-0x000000001047D000-memory.dmp

Filesize
52KB

Download
memory/1528-98-0x0000000010480000-0x000000001048D000-memory.dmp

Filesize
52KB

Download
memory/1528-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-110-0x00000000104A0000-0x00000000104AD000-memory.dmp

Filesize
52KB

Download
memory/1528-116-0x00000000104B0000-0x00000000104BD000-memory.dmp

Filesize
52KB

Download
memory/1528-122-0x00000000104C0000-0x00000000104CD000-memory.dmp

Filesize
52KB

Download
memory/1528-128-0x00000000104D0000-0x00000000104DD000-memory.dmp

Filesize
52KB

Download
memory/1528-134-0x00000000104E0000-0x00000000104ED000-memory.dmp

Filesize
52KB

Download
memory/1528-187-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-218-0x00000000004A0000-0x0000000000522000-memory.dmp

Filesize
520KB

Download
memory/1528-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1528-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download