770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
Size

54KB
MD5

9cb80e012124b9b49f3c27b1cf4d6dd1
SHA1

fa55e5f168961f2978222a7e872fe012a37e5fe9
SHA256

770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670
SHA512

07d82ccf0b5a385d18fde0382873da0facd951d4f33ee420930a6f073e52c23ee29bc80e33f805ea8d3df93e8d1ab3958b9e63b3d77904071b298b7ced1ab70f
SSDEEP

1536:5E027/dpXuKPlCVS1we+EQvro7flW3vr3YI6GeG:5Pg/dp+KFqe7aro7d6l

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

TSTheme.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exeC:\\Users\\Admin\\AppData\\Roaming\\appconf32.exe,"	TSTheme.exe

Deletes itself 1 IoCs

Processes:

TSTheme.exe

pid process

1476 TSTheme.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1476	TSTheme.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

TSTheme.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	TSTheme.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

TSTheme.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	TSTheme.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

TSTheme.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main TSTheme.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	TSTheme.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exeTSTheme.exe

pid	process
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe
1476	TSTheme.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exeTSTheme.exe

description	pid	process	target process
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 904 wrote to memory of 1476	904	770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe	TSTheme.exe
PID 1476 wrote to memory of 588	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 588	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 588	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 588	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1684	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1684	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1684	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1684	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1700	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1700	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1700	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1700	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1708	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1708	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1708	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1708	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1252	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1252	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1252	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1252	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 760	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 760	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 760	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 760	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1832	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1832	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1832	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1832	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1676	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1676	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1676	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1676	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1584	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1584	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1584	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1584	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1196	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1196	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1196	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1196	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 844	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 844	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 844	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 844	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 876	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 876	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 876	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 876	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 596	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 596	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 596	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 596	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1920	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1920	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1920	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1920	1476	TSTheme.exe	svchost.exe
PID 1476 wrote to memory of 1760	1476	TSTheme.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe
"C:\Users\Admin\AppData\Local\Temp\770cf0c47d145762552b395689dc294a1d5c4b7973801641e015722e478bc670.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\TSTheme.exe
C:\Windows\system32\TSTheme.exe
2⤵
- Modifies WinLogon for persistence
- Deletes itself
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:588

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1684

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1700

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1708

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1252

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:760

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1832

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1676

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1584

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1196

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:844

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:876

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:596

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1920

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1760

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1884

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:580

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1528

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2040

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1928

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1468

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1072

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:316

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2032

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2036

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2044

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:932

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1184

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:856

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1672

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1764

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:704

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:996

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1580

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1704

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1464

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1936

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1460

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:904

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1368

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1512

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:836

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1564

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1516

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2016

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:608

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1916

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:672

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1536

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1392

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1572

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1000

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:840

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1152

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1616

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1100

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1448

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1632

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1952

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:872

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1188

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1888

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1032

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1904

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1956

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:272

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1604

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1396

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:808

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:592

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:108

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2056

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2064

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2072

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2080

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2088

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2096

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2104

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2112

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2120

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2128

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2136

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2144

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2152

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2160

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2168

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2176

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2184

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2192

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2200

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2208

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2216

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2224

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2232

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2240

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2248

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2256

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2264

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2276

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2284

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2292

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2300

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2308

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2316

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2328

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2336

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2344

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2352

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2360

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2368

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2376

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2384

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2392

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2400

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2408

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2416

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2424

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2436

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2444

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2452

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2460

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2480

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2496

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2504

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2516

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2524

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2532

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2540

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2548

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2556

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2564

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2572

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2580

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2588

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2596

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2604

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2612

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2620

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2636

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2644

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2652

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2660

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-87-0x0000000000000000-mapping.dmp

Download
memory/544-92-0x0000000000000000-mapping.dmp

Download
memory/580-80-0x0000000000000000-mapping.dmp

Download
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/596-76-0x0000000000000000-mapping.dmp

Download
memory/608-112-0x0000000000000000-mapping.dmp

Download
memory/672-114-0x0000000000000000-mapping.dmp

Download
memory/704-98-0x0000000000000000-mapping.dmp

Download
memory/760-69-0x0000000000000000-mapping.dmp

Download
memory/836-108-0x0000000000000000-mapping.dmp

Download
memory/840-119-0x0000000000000000-mapping.dmp

Download
memory/844-74-0x0000000000000000-mapping.dmp

Download
memory/856-94-0x0000000000000000-mapping.dmp

Download
memory/872-126-0x0000000000000000-mapping.dmp

Download
memory/876-75-0x0000000000000000-mapping.dmp

Download
memory/904-105-0x0000000000000000-mapping.dmp

Download
memory/904-54-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/904-61-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/904-56-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/904-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/932-91-0x0000000000000000-mapping.dmp

Download
memory/996-99-0x0000000000000000-mapping.dmp

Download
memory/1000-118-0x0000000000000000-mapping.dmp

Download
memory/1072-86-0x0000000000000000-mapping.dmp

Download
memory/1100-122-0x0000000000000000-mapping.dmp

Download
memory/1152-120-0x0000000000000000-mapping.dmp

Download
memory/1184-93-0x0000000000000000-mapping.dmp

Download
memory/1188-127-0x0000000000000000-mapping.dmp

Download
memory/1196-73-0x0000000000000000-mapping.dmp

Download
memory/1252-68-0x0000000000000000-mapping.dmp

Download
memory/1368-106-0x0000000000000000-mapping.dmp

Download
memory/1392-116-0x0000000000000000-mapping.dmp

Download
memory/1448-123-0x0000000000000000-mapping.dmp

Download
memory/1460-104-0x0000000000000000-mapping.dmp

Download
memory/1464-102-0x0000000000000000-mapping.dmp

Download
memory/1468-84-0x0000000000000000-mapping.dmp

Download
memory/1476-57-0x0000000000000000-mapping.dmp

Download
memory/1476-85-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1476-60-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1476-63-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1476-58-0x0000000000160000-0x000000000016D000-memory.dmp

Filesize
52KB

Download
memory/1512-107-0x0000000000000000-mapping.dmp

Download
memory/1516-110-0x0000000000000000-mapping.dmp

Download
memory/1528-81-0x0000000000000000-mapping.dmp

Download
memory/1536-115-0x0000000000000000-mapping.dmp

Download
memory/1564-109-0x0000000000000000-mapping.dmp

Download
memory/1572-117-0x0000000000000000-mapping.dmp

Download
memory/1580-100-0x0000000000000000-mapping.dmp

Download
memory/1584-72-0x0000000000000000-mapping.dmp

Download
memory/1616-121-0x0000000000000000-mapping.dmp

Download
memory/1628-97-0x0000000000000000-mapping.dmp

Download
memory/1632-124-0x0000000000000000-mapping.dmp

Download
memory/1672-95-0x0000000000000000-mapping.dmp

Download
memory/1676-71-0x0000000000000000-mapping.dmp

Download
memory/1684-65-0x0000000000000000-mapping.dmp

Download
memory/1700-66-0x0000000000000000-mapping.dmp

Download
memory/1704-101-0x0000000000000000-mapping.dmp

Download
memory/1708-67-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000000000000-mapping.dmp

Download
memory/1764-96-0x0000000000000000-mapping.dmp

Download
memory/1832-70-0x0000000000000000-mapping.dmp

Download
memory/1884-79-0x0000000000000000-mapping.dmp

Download
memory/1916-113-0x0000000000000000-mapping.dmp

Download
memory/1920-77-0x0000000000000000-mapping.dmp

Download
memory/1928-83-0x0000000000000000-mapping.dmp

Download
memory/1936-103-0x0000000000000000-mapping.dmp

Download
memory/1952-125-0x0000000000000000-mapping.dmp

Download
memory/2016-111-0x0000000000000000-mapping.dmp

Download
memory/2032-88-0x0000000000000000-mapping.dmp

Download
memory/2036-89-0x0000000000000000-mapping.dmp

Download
memory/2040-82-0x0000000000000000-mapping.dmp

Download
memory/2044-90-0x0000000000000000-mapping.dmp

Download