0a671beba270f68d6c5d6ae9bae13d1df60df2db582a0c7bc0c931a3f44b9c1a

Analysis

max time kernel
148s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
Size

119KB
MD5

97746edc28621dadc9396318e8010d95
SHA1

2bdb4ba79b96185ee3bd4961452966997113eaf9
SHA256

0a671beba270f68d6c5d6ae9bae13d1df60df2db582a0c7bc0c931a3f44b9c1a
SHA512

55c85a8a72d09d9692938f553afa1a51be8ec6f58ac530ac763aed907f9a076e899002f05ec5d0063a5e88236bd1b008f0c87e926b4d73bf7db8cce774cd9fc2
SSDEEP

1536:LTKJtyLNVcBGsjEhUwiM7w1Nj6+UMbO2lq2oDSSBJjRL2pHIcg2/tAkzIePcs:6JtyL3ElEhUwiM7wpUD2qfZaXMe

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lexplorer = "C:\\Windows\\system32\\lexplorer.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lexplorer = "C:\\Windows\\system32\\lexplorer.exe"	iexplore.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{SJH5QQ24-ED6N-WB4H-SVU6-010843642UX7}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{SJH5QQ24-ED6N-WB4H-SVU6-010843642UX7}\StubPath = "C:\\Windows\\system32\\lexplorer.exe Restart"	iexplore.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-1-0x0000000010410000-0x0000000010446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Windows\\system32\\lexplorer.exe"	iexplore.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lexplorer.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\lexplorer.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\plugin.dat	iexplore.exe
File created	C:\Windows\SysWOW64\system.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\system.dat	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
Token: SeDebugPrivilege	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
Token: SeDebugPrivilege	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
Token: SeDebugPrivilege	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
Token: SeDebugPrivilege	2556	iexplore.exe
Token: SeDebugPrivilege	2556	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85
PID 4436 wrote to memory of 2556	4436	97746edc28621dadc9396318e8010d95_JaffaCakes118.exe	85

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3104
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3856
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3944
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4012
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:1048
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3700
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4784
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4496
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:880
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4892
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:3092
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3292
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\97746edc28621dadc9396318e8010d95_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\97746edc28621dadc9396318e8010d95_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2124

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4436-1-0x0000000010410000-0x0000000010446000-memory.dmp

Filesize
216KB

Download
memory/4436-9-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/4436-16-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4436-23-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/4436-31-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/4436-38-0x0000000002280000-0x000000000228A000-memory.dmp

Filesize
40KB

Download
memory/4436-44-0x0000000002290000-0x000000000229A000-memory.dmp

Filesize
40KB

Download
memory/4436-52-0x00000000022A0000-0x00000000022AA000-memory.dmp

Filesize
40KB

Download
memory/4436-58-0x0000000010450000-0x000000001045A000-memory.dmp

Filesize
40KB

Download
memory/4436-59-0x0000000010450000-0x000000001045A000-memory.dmp

Filesize
40KB

Download
memory/4436-66-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/4436-72-0x0000000010460000-0x000000001046A000-memory.dmp

Filesize
40KB

Download