33e1b2d24ab0db22c51686a46a408429a0e600dfc20b622f4c652d128ecb9671

Analysis

max time kernel
161s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a453a20a79dea07fe4527e5ba9bacdf.exe
Size

319KB
MD5

2a453a20a79dea07fe4527e5ba9bacdf
SHA1

9998cffad666c5ef003e1362843f914730866bbe
SHA256

33e1b2d24ab0db22c51686a46a408429a0e600dfc20b622f4c652d128ecb9671
SHA512

5ca0c5886924c580d1ef516a2be3dc22663c5c8b0855cde2ede398f7f51fc4c09b54e48380078f77aa15b37141dc7d5d5840b8a83d50aa3fb33a8c9cc8b20c43
SSDEEP

6144:hITNvnVN1Q1ttJXDlPwJ/TItbsdVeQBWLyai/Cx:qnVs7tJTlI9cxsdEIWuJ/Cx

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	2a453a20a79dea07fe4527e5ba9bacdf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\2a453a20a79dea07fe4527e5ba9bacdf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2a453a20a79dea07fe4527e5ba9bacdf.exe:*:enabled:@shell32.dll,-1"	2a453a20a79dea07fe4527e5ba9bacdf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2a453a20a79dea07fe4527e5ba9bacdf.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	2a453a20a79dea07fe4527e5ba9bacdf.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	2a453a20a79dea07fe4527e5ba9bacdf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\_bmp23_.bm_	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe
4740	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 616	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	6
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 664	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	3
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 776	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	4
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 784	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	13
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 792	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	12
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 904	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	11
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 956	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	10
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 388	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	9
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 728	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	86
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 652	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	14
PID 4740 wrote to memory of 996	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	85
PID 4740 wrote to memory of 996	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	85
PID 4740 wrote to memory of 996	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	85
PID 4740 wrote to memory of 996	4740	2a453a20a79dea07fe4527e5ba9bacdf.exe	85

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3920
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2168
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2624
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:636
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2992
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:2544
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1348
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4448
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2148
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3888
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4016
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3820
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3724
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2652
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1620

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:2756
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4396

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\2a453a20a79dea07fe4527e5ba9bacdf.exe
  "C:\Users\Admin\AppData\Local\Temp\2a453a20a79dea07fe4527e5ba9bacdf.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2604

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2572

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4740-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4740-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-2-0x00000000779C2000-0x00000000779C3000-memory.dmp

Filesize
4KB

Download
memory/4740-4-0x00000000779C3000-0x00000000779C4000-memory.dmp

Filesize
4KB

Download
memory/4740-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-9-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4740-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download