4508ac06af752db832a0582724bf479104a1019bce3306618a8da9b869ebda1e

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac68b292573bd3b48ede9ac5ea02940N.exe
Size

41KB
MD5

1ac68b292573bd3b48ede9ac5ea02940
SHA1

394eaa52f10f694168f346a0090ce104a8410eec
SHA256

4508ac06af752db832a0582724bf479104a1019bce3306618a8da9b869ebda1e
SHA512

413597fbdd0f839913819e20e078a699a9818cdcf6b54196f533ed7bd72b67ef0772ba99c56b66398aa082e9dd863ece1dc52707d71cd255fe81d7fc6b3685d5
SSDEEP

768:ucG6xlCRaJKGOA7SHJ8HWr64a1VGHzkxS4iDHWLsDixcvn7mCnDG:ucG6yPzKSHJa1MP2Aiqvn77

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe
3972	1ac68b292573bd3b48ede9ac5ea02940N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 612	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	5
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 660	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	7
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 772	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	8
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 780	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	9
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 788	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	10
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 892	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	11
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 948	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	12
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 1020	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	13
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 428	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	14
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 856	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	15
PID 3972 wrote to memory of 944	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	16
PID 3972 wrote to memory of 944	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	16
PID 3972 wrote to memory of 944	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	16
PID 3972 wrote to memory of 944	3972	1ac68b292573bd3b48ede9ac5ea02940N.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:780
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3188
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3808
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3900
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3964
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4056
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2396
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1756
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4772
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4384
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3268
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:5064
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2984

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3048

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\1ac68b292573bd3b48ede9ac5ea02940N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ac68b292573bd3b48ede9ac5ea02940N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2112

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3972-0-0x0000000001000000-0x000000000100D000-memory.dmp

Filesize
52KB

Download
memory/3972-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3972-2-0x00000000777E2000-0x00000000777E3000-memory.dmp

Filesize
4KB

Download
memory/3972-3-0x00000000777E3000-0x00000000777E4000-memory.dmp

Filesize
4KB

Download
memory/3972-4-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3972-5-0x0000000001000000-0x000000000100D000-memory.dmp

Filesize
52KB

Download