Analysis
-
max time kernel
231s -
max time network
239s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:11
Behavioral task
behavioral1
Sample
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
Resource
win10v2004-20221111-en
General
-
Target
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
-
Size
1.4MB
-
MD5
12a328ce6651249030f5370f255ca63e
-
SHA1
a8048a259c2aeb4bee82eea524e402add040aa35
-
SHA256
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72
-
SHA512
ae03500bd52eff224135ffa4ac5030b6d24538b07e8a01db0cd2ffa5a3ba5202c4eb61fd53722886610299d0994895d6fce7538bf6735f4b348d9c47ef0668b0
-
SSDEEP
24576:z9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:z9WDAUozOUxaOyGau6I6WPDvlAAoefk1
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1404-132-0x0000000000400000-0x0000000000560000-memory.dmp family_xorist behavioral2/memory/1404-133-0x0000000000400000-0x0000000000560000-memory.dmp family_xorist -
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe:*:enabled:@shell32.dll,-1" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 1 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Drops file in Program Files directory 64 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\ink\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\Office16\3082\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\7-Zip\History.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Common Files\System\msadc\es-ES\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File created C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\HOW TO DECRYPT FILES.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Modifies registry class 10 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe,0" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015! 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\ = "CRYPTED!" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015!\ = "PRPASCBHJSZLMOM" 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exepid process 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exepid process 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription pid process Token: SeDebugPrivilege 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exedescription pid process target process PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 624 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe winlogon.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 676 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe lsass.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 788 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 796 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 804 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe fontdrvhost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 912 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 968 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 60 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe dwm.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 524 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 696 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 828 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 828 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 828 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe PID 1404 wrote to memory of 828 1404 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:2272
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1120
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4132
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:2616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5068
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3084
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3532
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3372
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe"C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe"2⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2508
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2468
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2100
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1596
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1076
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:912
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:788
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:4904
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624