b4972ae67df4a75622a11cf5ebbaaf898d4755b6a6f86dd8cfccc140fa7039e5

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17868bf758cb6bb3a077b44a24b5235a.exe
Size

103KB
MD5

17868bf758cb6bb3a077b44a24b5235a
SHA1

a554dd9bb14d9abf1951b87f8fd90d6a3bef204d
SHA256

b4972ae67df4a75622a11cf5ebbaaf898d4755b6a6f86dd8cfccc140fa7039e5
SHA512

2d130c6a9986fc4e56450015b62dcbf0a2dc5f410ce1f968b6a1da282f6523c7258c6362b00a2f59db795753922d564b094c5cf8b44fd4c5fd7e6c76506b57ad
SSDEEP

768:+akLN9L/MxPloy+hXyiA2IRyblMrAf2QdL0Ws4nsegRzSzXadItTjpwtF2WSfGSb:YNKxtCX424eluABS4segRd6BwtFH56

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	17868bf758cb6bb3a077b44a24b5235a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\17868bf758cb6bb3a077b44a24b5235a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17868bf758cb6bb3a077b44a24b5235a.exe:*:enabled:@shell32.dll,-1"	17868bf758cb6bb3a077b44a24b5235a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	17868bf758cb6bb3a077b44a24b5235a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe
3276	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	17868bf758cb6bb3a077b44a24b5235a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 616	3276	17868bf758cb6bb3a077b44a24b5235a.exe	4
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 668	3276	17868bf758cb6bb3a077b44a24b5235a.exe	2
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 768	3276	17868bf758cb6bb3a077b44a24b5235a.exe	8
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 776	3276	17868bf758cb6bb3a077b44a24b5235a.exe	91
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 792	3276	17868bf758cb6bb3a077b44a24b5235a.exe	90
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 900	3276	17868bf758cb6bb3a077b44a24b5235a.exe	89
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 956	3276	17868bf758cb6bb3a077b44a24b5235a.exe	88
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 388	3276	17868bf758cb6bb3a077b44a24b5235a.exe	9
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 432	3276	17868bf758cb6bb3a077b44a24b5235a.exe	87
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 864	3276	17868bf758cb6bb3a077b44a24b5235a.exe	10
PID 3276 wrote to memory of 1016	3276	17868bf758cb6bb3a077b44a24b5235a.exe	86
PID 3276 wrote to memory of 1016	3276	17868bf758cb6bb3a077b44a24b5235a.exe	86
PID 3276 wrote to memory of 1016	3276	17868bf758cb6bb3a077b44a24b5235a.exe	86
PID 3276 wrote to memory of 1016	3276	17868bf758cb6bb3a077b44a24b5235a.exe	86

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:2888
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\17868bf758cb6bb3a077b44a24b5235a.exe
"C:\Users\Admin\AppData\Local\Temp\17868bf758cb6bb3a077b44a24b5235a.exe"
1⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1636

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4588

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3528

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3292

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3764

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3384

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2608

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3276-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3276-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3276-3-0x0000000077543000-0x0000000077544000-memory.dmp

Filesize
4KB

Download
memory/3276-2-0x0000000077542000-0x0000000077543000-memory.dmp

Filesize
4KB

Download
memory/3276-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3276-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3276-6-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3276-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download