1bc925038e7fc4e91210f3c687392b8bf9e5a407117daefece84b3acfd988657

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a210394ca72f4e6f6c7a1741fdfcb10.exe
Size

21KB
MD5

0a210394ca72f4e6f6c7a1741fdfcb10
SHA1

b4b1e6955c05ba0af5e931dd14732ee7bc205644
SHA256

1bc925038e7fc4e91210f3c687392b8bf9e5a407117daefece84b3acfd988657
SHA512

37fb78766c38ddd77b1366d96d08a408119c2c1e98b58133da9f12a076c4fc0a20ec30487c13710441bb3450ca40c2b61d0ef28de85df26ecb1b692662e774df
SSDEEP

384:4RdCyNMqlWBmQ279Wp0SpNWsv6+fm+0XlQmXBaSyEdHtJhz:sCyKqlUmQOEpwEfmP38SLtJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	0a210394ca72f4e6f6c7a1741fdfcb10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 58 IoCs

pid	Process
540	svchost.exe
1604	svchost.exe
3204	svchost.exe
4184	svchost.exe
3560	svchost.exe
4912	svchost.exe
2676	svchost.exe
3504	svchost.exe
4076	svchost.exe
3844	svchost.exe
4188	svchost.exe
5008	svchost.exe
4564	svchost.exe
5000	svchost.exe
3512	svchost.exe
2272	svchost.exe
660	svchost.exe
5012	svchost.exe
2408	svchost.exe
2420	svchost.exe
1220	svchost.exe
676	svchost.exe
3408	svchost.exe
1132	svchost.exe
4088	svchost.exe
3208	svchost.exe
4960	svchost.exe
4092	svchost.exe
4852	svchost.exe
4380	svchost.exe
4972	svchost.exe
2924	svchost.exe
5052	svchost.exe
3268	svchost.exe
2408	svchost.exe
2060	svchost.exe
924	svchost.exe
180	svchost.exe
548	svchost.exe
1132	svchost.exe
388	svchost.exe
3108	svchost.exe
4140	svchost.exe
5104	svchost.exe
2468	svchost.exe
3324	svchost.exe
4704	svchost.exe
2944	svchost.exe
5020	svchost.exe
636	svchost.exe
3340	svchost.exe
2848	svchost.exe
4280	svchost.exe
2040	svchost.exe
1124	svchost.exe
3576	svchost.exe
1628	svchost.exe
3132	svchost.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	0a210394ca72f4e6f6c7a1741fdfcb10.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\svchost.exe	0a210394ca72f4e6f6c7a1741fdfcb10.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\config\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 540	2956	0a210394ca72f4e6f6c7a1741fdfcb10.exe	95
PID 2956 wrote to memory of 540	2956	0a210394ca72f4e6f6c7a1741fdfcb10.exe	95
PID 2956 wrote to memory of 540	2956	0a210394ca72f4e6f6c7a1741fdfcb10.exe	95
PID 540 wrote to memory of 1604	540	svchost.exe	96
PID 540 wrote to memory of 1604	540	svchost.exe	96
PID 540 wrote to memory of 1604	540	svchost.exe	96
PID 1604 wrote to memory of 3204	1604	svchost.exe	97
PID 1604 wrote to memory of 3204	1604	svchost.exe	97
PID 1604 wrote to memory of 3204	1604	svchost.exe	97
PID 3204 wrote to memory of 4184	3204	svchost.exe	98
PID 3204 wrote to memory of 4184	3204	svchost.exe	98
PID 3204 wrote to memory of 4184	3204	svchost.exe	98
PID 4184 wrote to memory of 3560	4184	svchost.exe	99
PID 4184 wrote to memory of 3560	4184	svchost.exe	99
PID 4184 wrote to memory of 3560	4184	svchost.exe	99
PID 3560 wrote to memory of 4912	3560	svchost.exe	100
PID 3560 wrote to memory of 4912	3560	svchost.exe	100
PID 3560 wrote to memory of 4912	3560	svchost.exe	100
PID 4912 wrote to memory of 2676	4912	svchost.exe	101
PID 4912 wrote to memory of 2676	4912	svchost.exe	101
PID 4912 wrote to memory of 2676	4912	svchost.exe	101
PID 2676 wrote to memory of 3504	2676	svchost.exe	102
PID 2676 wrote to memory of 3504	2676	svchost.exe	102
PID 2676 wrote to memory of 3504	2676	svchost.exe	102
PID 3504 wrote to memory of 4076	3504	svchost.exe	103
PID 3504 wrote to memory of 4076	3504	svchost.exe	103
PID 3504 wrote to memory of 4076	3504	svchost.exe	103
PID 4076 wrote to memory of 3844	4076	svchost.exe	104
PID 4076 wrote to memory of 3844	4076	svchost.exe	104
PID 4076 wrote to memory of 3844	4076	svchost.exe	104
PID 3844 wrote to memory of 4188	3844	svchost.exe	105
PID 3844 wrote to memory of 4188	3844	svchost.exe	105
PID 3844 wrote to memory of 4188	3844	svchost.exe	105
PID 4188 wrote to memory of 5008	4188	svchost.exe	106
PID 4188 wrote to memory of 5008	4188	svchost.exe	106
PID 4188 wrote to memory of 5008	4188	svchost.exe	106
PID 5008 wrote to memory of 4564	5008	svchost.exe	108
PID 5008 wrote to memory of 4564	5008	svchost.exe	108
PID 5008 wrote to memory of 4564	5008	svchost.exe	108
PID 4564 wrote to memory of 5000	4564	svchost.exe	109
PID 4564 wrote to memory of 5000	4564	svchost.exe	109
PID 4564 wrote to memory of 5000	4564	svchost.exe	109
PID 5000 wrote to memory of 3512	5000	svchost.exe	110
PID 5000 wrote to memory of 3512	5000	svchost.exe	110
PID 5000 wrote to memory of 3512	5000	svchost.exe	110
PID 3512 wrote to memory of 2272	3512	svchost.exe	111
PID 3512 wrote to memory of 2272	3512	svchost.exe	111
PID 3512 wrote to memory of 2272	3512	svchost.exe	111
PID 2272 wrote to memory of 660	2272	svchost.exe	112
PID 2272 wrote to memory of 660	2272	svchost.exe	112
PID 2272 wrote to memory of 660	2272	svchost.exe	112
PID 660 wrote to memory of 5012	660	svchost.exe	113
PID 660 wrote to memory of 5012	660	svchost.exe	113
PID 660 wrote to memory of 5012	660	svchost.exe	113
PID 5012 wrote to memory of 2408	5012	svchost.exe	114
PID 5012 wrote to memory of 2408	5012	svchost.exe	114
PID 5012 wrote to memory of 2408	5012	svchost.exe	114
PID 2408 wrote to memory of 2420	2408	svchost.exe	117
PID 2408 wrote to memory of 2420	2408	svchost.exe	117
PID 2408 wrote to memory of 2420	2408	svchost.exe	117
PID 2420 wrote to memory of 1220	2420	svchost.exe	118
PID 2420 wrote to memory of 1220	2420	svchost.exe	118
PID 2420 wrote to memory of 1220	2420	svchost.exe	118
PID 1220 wrote to memory of 676	1220	svchost.exe	120

C:\Users\Admin\AppData\Local\Temp\0a210394ca72f4e6f6c7a1741fdfcb10.exe
"C:\Users\Admin\AppData\Local\Temp\0a210394ca72f4e6f6c7a1741fdfcb10.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\config\svchost.exe
  "C:\Windows\system32\config\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\config\svchost.exe
    "C:\Windows\system32\config\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\config\svchost.exe
      "C:\Windows\system32\config\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:180
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\config\svchost.exe
        
        "C:\Windows\system32\config\svchost.exe"
        59⤵
        Executes dropped EXE
        
        PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\svchost.exe

Filesize
21KB

MD5
0a210394ca72f4e6f6c7a1741fdfcb10

SHA1
b4b1e6955c05ba0af5e931dd14732ee7bc205644

SHA256
1bc925038e7fc4e91210f3c687392b8bf9e5a407117daefece84b3acfd988657

SHA512
37fb78766c38ddd77b1366d96d08a408119c2c1e98b58133da9f12a076c4fc0a20ec30487c13710441bb3450ca40c2b61d0ef28de85df26ecb1b692662e774df

Download Submit
memory/180-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/388-93-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/540-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/548-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/636-111-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/660-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/676-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/924-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1124-121-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1132-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1132-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1220-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1604-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1628-125-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2040-119-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2060-83-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2272-43-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2408-49-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2408-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2420-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2468-101-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2676-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2848-115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2924-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2944-107-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2956-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2956-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3108-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3204-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3208-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3268-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3324-103-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3340-113-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3408-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3504-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3512-41-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3560-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3576-123-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3844-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4076-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4088-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4092-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4140-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4184-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4188-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4280-117-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4564-37-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4704-104-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4852-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4912-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4960-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4972-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5000-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5008-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5012-47-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5020-109-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5052-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5104-99-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download