1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b

Analysis

max time kernel
118s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
Size

939KB
MD5

3f87c5fe1471cd8fca27923c3e28fba0
SHA1

a6eb75d64f1cc7fca6c9e541ca815b44796394ea
SHA256

1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b
SHA512

df1e508611a278d05f627a254d5e94a8d43f96934694b934d673a031c2e7f993a3cbc9d0956007d66ec255590b6a012f725fe16840b1faf1184269c832b6fb25
SSDEEP

24576:113aQvCBCUWjbUnvEG7YSvsrdkS1s1msZhxTT40qeKK:H3aQ6MUWscaYSUSS1s1mihxTTvq+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}\StubPath = "C:\\Windows\\system32\\svchost\\server.exe Restart"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}	iexplore.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4348-140-0x0000000010410000-0x00000000104D4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rg+g4+rg4eg4eg4r4h44he4h+564he4h = "C:\\Windows\\system32\\svchost\\server.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ge54g564g5454h54h5+4ht5r4h54th54h = "C:\\Windows\\system32\\svchost\\server.exe"	iexplore.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\plugin.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\server.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\server.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\plugin.dat	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\logs.dat	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
4348	cvtres.exe
4348	cvtres.exe
4348	cvtres.exe
4348	cvtres.exe
4348	cvtres.exe
4348	cvtres.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
376	iexplore.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
Token: SeDebugPrivilege	4348	cvtres.exe
Token: SeDebugPrivilege	4348	cvtres.exe
Token: SeDebugPrivilege	4348	cvtres.exe
Token: SeDebugPrivilege	4348	cvtres.exe
Token: SeDebugPrivilege	376	iexplore.exe
Token: SeDebugPrivilege	376	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4936 wrote to memory of 4348	4936	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	81
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82
PID 4348 wrote to memory of 376	4348	cvtres.exe	82

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:804
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3412
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3496
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3344
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3252
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3680
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4400
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:388
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:4880
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4628

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2512

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2572

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
  "C:\Users\Admin\AppData\Local\Temp\1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4348-193-0x00000000104E0000-0x00000000104EA000-memory.dmp

Filesize
40KB

Download
memory/4348-179-0x00000000021F0000-0x00000000021FA000-memory.dmp

Filesize
40KB

Download
memory/4348-134-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-135-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-136-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-144-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/4348-138-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-158-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/4348-459-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-207-0x00000000104F0000-0x00000000104FA000-memory.dmp

Filesize
40KB

Download
memory/4348-140-0x0000000010410000-0x00000000104D4000-memory.dmp

Filesize
784KB

Download
memory/4348-165-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/4348-172-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/4348-186-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/4348-458-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4348-200-0x0000000002210000-0x000000000221A000-memory.dmp

Filesize
40KB

Download
memory/4348-151-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/4936-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-137-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download