b3318d1133eaeea6c8d251a5045c8a4c3509629f2cc4d05fe8c7d06f453028b9

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Size

51KB
MD5

c6e533b2672d54f4a52a1abbea3dc720
SHA1

d799c0418ae9e923a256b9d3705feae44649108e
SHA256

b3318d1133eaeea6c8d251a5045c8a4c3509629f2cc4d05fe8c7d06f453028b9
SHA512

1ebe1c370db0858090873a0aaf3afc626c57a047f9bb9fe31c7fd6821690420bc7bfa08492c258e372c1385091d37f4eb401c19e492765d610ea998855afc9e7
SSDEEP

768:6drWCRrIXhBNutBZ9N8FTPOnXPLZZVCg:6drWClI+9NuTPONZM

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe:*:enabled:@shell32.dll,-1"	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Token: SeSecurityPrivilege	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
Token: SeDebugPrivilege	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 628	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	6
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 684	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	4
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 788	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	8
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 808	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	84
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 812	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	83
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 912	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	82
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 960	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	81
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 332	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	9
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 528	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	10
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 708	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	80
PID 3880 wrote to memory of 904	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	79
PID 3880 wrote to memory of 904	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	79
PID 3880 wrote to memory of 904	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	79
PID 3880 wrote to memory of 904	3880	NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe	79

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3616
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3828
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3712
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4840
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:1440
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:1356
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1396
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4532
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4356
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2240
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3920
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2084
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1132
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3252
- C:\Users\Admin\AppData\Local\Temp\NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.c6e533b2672d54f4a52a1abbea3dc720.exe"
  2⤵
  - Modifies firewall policy service
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4076

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3880-0-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download
memory/3880-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3880-2-0x0000000077C32000-0x0000000077C33000-memory.dmp

Filesize
4KB

Download
memory/3880-3-0x0000000077C33000-0x0000000077C34000-memory.dmp

Filesize
4KB

Download
memory/3880-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3880-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3880-7-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download