6e41d1375e548702d8aa8ca9e969ef1038d42a3c033da590cbb0a54e1bc25cda

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08786f845c12c0e32ae20c1a4d80efc6.exe
Size

70KB
MD5

08786f845c12c0e32ae20c1a4d80efc6
SHA1

878aa1652a5bdceaa1c280f41dafb3e4efa24efb
SHA256

6e41d1375e548702d8aa8ca9e969ef1038d42a3c033da590cbb0a54e1bc25cda
SHA512

e34956fe7571826ed03fb00ca5b7e772b82e794c44e7079f5b05c5caecbdf8aee1a493a1b1ac7eca7b481a403359a4320353e3dd93954b1cd0e7b25b016bfbb9
SSDEEP

1536:CDyvX0vm5bKZT1cWHH3DabJbjMbB2QMvHreKvbdg:CSX0IbKZTeWz4qwJjvvbd

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	08786f845c12c0e32ae20c1a4d80efc6.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	08786f845c12c0e32ae20c1a4d80efc6.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	08786f845c12c0e32ae20c1a4d80efc6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\08786f845c12c0e32ae20c1a4d80efc6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08786f845c12c0e32ae20c1a4d80efc6.exe:*:enabled:@shell32.dll,-1"	08786f845c12c0e32ae20c1a4d80efc6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe
5008	08786f845c12c0e32ae20c1a4d80efc6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	08786f845c12c0e32ae20c1a4d80efc6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 612	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	5
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 664	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	3
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 788	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	9
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 796	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	8
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 804	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	88
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 908	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	87
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 960	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	86
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 380	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	10
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 536	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	85
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 404	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	11
PID 5008 wrote to memory of 60	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	84
PID 5008 wrote to memory of 60	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	84
PID 5008 wrote to memory of 60	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	84
PID 5008 wrote to memory of 60	5008	08786f845c12c0e32ae20c1a4d80efc6.exe	84

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3888
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3420
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:768
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:3928
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2304
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1564
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3576
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2424
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4528
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3168
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3972
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3824
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3732
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:956

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3496

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\08786f845c12c0e32ae20c1a4d80efc6.exe
  "C:\Users\Admin\AppData\Local\Temp\08786f845c12c0e32ae20c1a4d80efc6.exe"
  2⤵
  - Modifies firewall policy service
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3180

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3084

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5008-0-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/5008-1-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5008-3-0x0000000076F62000-0x0000000076F63000-memory.dmp

Filesize
4KB

Download
memory/5008-2-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5008-4-0x0000000076F63000-0x0000000076F64000-memory.dmp

Filesize
4KB

Download
memory/5008-7-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download