Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 11:12
Behavioral task
behavioral1
Sample
9704acf70f601607084200c2b8f24146.exe
Resource
win7-20231215-en
General
-
Target
9704acf70f601607084200c2b8f24146.exe
-
Size
282KB
-
MD5
9704acf70f601607084200c2b8f24146
-
SHA1
f8d29c3f73e71fabd9d3835c04603fa5fd00c805
-
SHA256
8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67
-
SHA512
31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1
-
SSDEEP
6144:ZonYdhUSyP6t2zQtDtdWn7T1iaOufuz5wOUtlKOuhPbjXbK:ZUYdaSPtkQtDtdWfkaMz5fUtlKOuhPb
Malware Config
Extracted
cybergate
2.8 Private Edition
vítima
127.0.0.1:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9704acf70f601607084200c2b8f24146.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" 9704acf70f601607084200c2b8f24146.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9704acf70f601607084200c2b8f24146.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" 9704acf70f601607084200c2b8f24146.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\install\\server.exe Restart" 9704acf70f601607084200c2b8f24146.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} 9704acf70f601607084200c2b8f24146.exe -
Processes:
resource yara_rule behavioral2/memory/4560-0-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4560-4-0x0000000010410000-0x0000000010472000-memory.dmp upx behavioral2/memory/972-11-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4560-65-0x0000000010480000-0x00000000104E2000-memory.dmp upx behavioral2/memory/972-69-0x0000000010480000-0x00000000104E2000-memory.dmp upx behavioral2/memory/972-71-0x0000000010480000-0x00000000104E2000-memory.dmp upx behavioral2/memory/4560-72-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/files/0x0006000000023236-77.dat upx behavioral2/memory/972-1701-0x0000000010480000-0x00000000104E2000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exe9704acf70f601607084200c2b8f24146.exedescription ioc Process File created C:\Windows\install\server.exe 9704acf70f601607084200c2b8f24146.exe File opened for modification C:\Windows\install\server.exe 9704acf70f601607084200c2b8f24146.exe File opened for modification C:\Windows\install\server.exe 9704acf70f601607084200c2b8f24146.exe File opened for modification C:\Windows\install\ 9704acf70f601607084200c2b8f24146.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exe9704acf70f601607084200c2b8f24146.exepid Process 4560 9704acf70f601607084200c2b8f24146.exe 4560 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe 972 9704acf70f601607084200c2b8f24146.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exepid Process 972 9704acf70f601607084200c2b8f24146.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exedescription pid Process Token: SeDebugPrivilege 972 9704acf70f601607084200c2b8f24146.exe Token: SeDebugPrivilege 972 9704acf70f601607084200c2b8f24146.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9704acf70f601607084200c2b8f24146.exedescription pid Process procid_target PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83 PID 4560 wrote to memory of 2332 4560 9704acf70f601607084200c2b8f24146.exe 83
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:60
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:764
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1120
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1964
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2716
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2924
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:856
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2312
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:388
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4528
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3292
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2536
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1160
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1112
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:788
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:3940
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4560
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe ba1574bb717fcafaf1df18725572d6ea a4JVRCOevk6z+x22777iSw.0.1.0.0.01⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3248
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5cf9b9bbff175bf3bc37215889ab0eeb9
SHA150168e04b22784056508d2436b0ebdbc0db30888
SHA2562767d1cdcf9539a7314d0f7e64e4b56715ae8f4350c2e20f5d7394bc1e9c4218
SHA512ea47ca865327afd8e793ad430d099ae329cfc28266d5a9916db1f915503430a00f2342352987e5816e28cb35e1db1542df58f08090484536174f1577fa2b8b24
-
Filesize
8B
MD540e96f5c65b61609109c94236901d482
SHA101a10f088e8a293bd366660b019d776ebd50b9a2
SHA2569a924e8c883f68321a26900fdb30b27e21ea1f8e6fb309a6633666ddd5ef661d
SHA512ee46894d890f8f352a58d9f859ab67951f5c864a984e087d50b78bcc537bbbf65df25739f34b105854b3e86a04edea7b3f35dde6494f75bc2ab55a274b7cda7f
-
Filesize
8B
MD57d8e1dd89bd7c90e9b0a87f4eac3fb13
SHA1ba602f160b847f6331e9f3762fa1725cbc8e04c8
SHA2566208c188dcfc7f99be6265ae1030de4a2cb11f908a804e132cd727eadd38fe75
SHA512c7bab79330d10a2eee6d0e9c4cc87087da1933ed15671d71cdbec0bea444a0c2c404542fa780ec27e6f592d9d2204c219219a800d1d13dfd07f087cb6e150e80
-
Filesize
8B
MD5817f7e7f5278a72ab3059a6f062bf1de
SHA1361888179b9a499f12957697dd77d1ad9302b52a
SHA256e39a825cba58937c50a4ef86cb3f8db7367f17312bb2b35523b1c2218c0055b3
SHA512c656f5fc3183d742a45fe09cdf2dc199015414715beedcfa1fa74ebce9e2c24df276ffc44144422fccd2bd96bf766212301917a6fa731ea480dad4f6c5b4796f
-
Filesize
8B
MD548c5daaa22f18f64c950c71b9448093c
SHA1830bcf5640a326a82fb37948a163d69fc4ba3147
SHA2567650de22861e7e2302f5d9734ba7d9bc03a7adc0f911af32460c9943dee7098c
SHA5121e58331fd8a7d30574c327accf4283fb3cf65f815711432a7e573bd5fe06614b8f347694390a22abaa190c98690301a6aaf18572e5791f1a926512a0cf1dcdd1
-
Filesize
8B
MD5a733f008ed8412088800d0fa7ad82539
SHA1c524651a26400bf629308138ee04b3030699477f
SHA256cdad163883cabacd83f3c99c1673d52f7885a45afdb96b71e4b2e7f36d8cf8f2
SHA512e12818c53db65be58c11e61ac5b9631c82d497877003495874a7b478c2bb31796090dd6b6e36d1e78dade93d8e23a5c25651f834223e919812dbce41149fbc46
-
Filesize
8B
MD5780d8fa1d864d630197523faf47d5644
SHA197c931c9af41daae0dd90048a2535399e8d4247b
SHA256a1df2207aebe8fbd3abdeed9f9b939ba49f80d87b864ca03d7907692df88448e
SHA5125ec3289786d0c8adf4b08ac123bda097289f91859885295cdd63552028b512bf933d1cb061d5be3383fad360306e58e92addf3b6895eeebb5d39a9f1bbea5fcc
-
Filesize
8B
MD5c3dd1ab9ff55270b633ed2eff308ff5b
SHA1c3f4230e6a6f4b7171a9650819b7c707be4f53d8
SHA25602091676492070ecdfef404fa4f1c7cc5a4f66eaf66d0367b1ef648f54b1f582
SHA5122b314c1e0f1999c80d1e77985590b24281227337c40bfa984c977f12abbeb4989ce898080b01f8e5399b11e5b909954e15f064db21a6dd9517b1c8aae5b30a0a
-
Filesize
8B
MD510c82b760d48ef76505ff697547d0083
SHA1734c2666aec190c486a907fc1e106b3c8852efae
SHA256ae046f46e0e98bfee1007a76af39dafc15455ad0518ccfca4da21897e0fe2d5e
SHA512da5b4abc8d73ac547c45fded862f7fbf0d6783e6ea249d3b3a1c804cd129a49e1196ec1cdc1468a04a98864b86cce305a3c8e1d909541cd5b1125d5fe82cc0eb
-
Filesize
8B
MD55c3374031609016e075a0552a9c7f699
SHA1dd1d1c7d6e4c6b7eed11c92514f8fa8a4c78ee8e
SHA256f221853e4cc356fbe7caa48d05b2153f9cdd81b7c6d44b5ba7fdbd921b649981
SHA51299514ff48c4af3848c032d3a03441aba41f563afa05ae06b8a6bf118a4a93a57e764ac3e04316062917bd67ef67d7499e31c3cc38055971bc52517481122731c
-
Filesize
8B
MD5aabd3f6520ab94a83b238b935e53d002
SHA1f15874894ceb39607fde9af11fdccefec60ad84a
SHA25613955e5f34c9fb3cc277dba4632c025b4735ab4c29e23191c2b25e327d55e1df
SHA5126fad79b45fe3f1ce274163f4ae0583fafff1be738a2860194f7123b82904970264acd3e7020d14d23babf1d3e7da6748ca3b24c0866041c5a18a488921caf0e7
-
Filesize
8B
MD578ffa509b80c8f5ec3d01d30ddaad507
SHA1f8483baa6b6f2fad46eac92f54a4552a901a8ecd
SHA2563bb0b226b675991467e0e58acfc2b610d00c6057889a667cf26904c14bc3884c
SHA512f2040678072e30505f6e91caec1d0c5faf11edf9b79247917f49044b883b63a18027a7c02b0213ecf472e1c271db0c59c0879107f0b45da9d4ebb75c0069bce3
-
Filesize
8B
MD58bca05a85fd43fc1d30ef84557d6a6db
SHA1bf141fb385b3d74dbf6c433d7a0dcac973d7358d
SHA256d40ade2d8a89f2c49304a337d6942081a9c00169c0b1763b660744da4bbbb2e5
SHA512a7915f7fff95eb0db6aebb52d00387d24b1ce92705e4f2155e3c67657a43c0dc4aec5c65d24e9a63a3d07a15634ee0f26a67672608b997ba236780746902d1ee
-
Filesize
8B
MD54dbdc7a22fa8351e4165454e0c3b058a
SHA186c58c2d3931c33b5d7a616c391a17e78295f7f9
SHA256e5b0ff9e6c244d145fc10a082424f4a7e2f85aa50168c24fbe7f37c263ef0cd2
SHA512e49e5399caf0aa8bf0b5ffb7679c0452ea11349e9e563bad940927abd20589361c5cfc8cc88f138b33b38c71c5bd3ea29d7dfa66e548044387c1126977622704
-
Filesize
8B
MD5fd549a11c6a8d82d5089501dc28cef81
SHA16d9964cd2a7a55f5f9904ae6f2227e73af91d52d
SHA256559de9146062a052e293413c3fd50312114d70dfad32514ac41ba211e2f3380e
SHA512c3704bf1c280c9c2838794badaae6f43dfc4405c59d528431c22dce7ce83859d05d3f749f76b81a597dd8b4787919834ea1d2c8c67cfe921b2e3581da7d83c13
-
Filesize
8B
MD570b7283ffb2d91c4bfa15b647095e8b4
SHA156041654695016edb9e4752797ab3fe422545738
SHA256da8269a99ec1ccea9e814641426ee5d032bd74b171d467499412c6d8242b20cb
SHA5122a2dc78d9bef79b80d6c945232450d418b5970f7991be24cb1732ae21e0cb55abbb5bd5b804ae2856521bce5f234304a426e2b0fee6cac8f83c971bb39d8710e
-
Filesize
8B
MD52f1c225f6e4aea6d369f062ebf2826e8
SHA173a049986d2967d27caac55b5067cb1bca5969cf
SHA2566490eb6b9b71f5896e11d247a76b1c0074111deed7fe3586ea66ce125ccb4504
SHA5122574b9f9f977bc8c73fddc8ee1d87c9cce21ebad1f5dcc2c54787fb3ef732bdbedfb978b0c62d19ae04a894a6c69a3c41f218d0fbd2a558f47783603facb17c7
-
Filesize
8B
MD5b084ba2e54a9a1b392f3ff925ba6ed5d
SHA1e3391c3214391c67e951acf66780a7c7e87293fb
SHA256e574055ee61fce8401623c33c59ecde24da3d0f4b3b164c8a38868cc0ef140d3
SHA5127abf2e188c426ec11a876252ab23ce24399d7f228d19f54a6ae84d066fed297b855812d830fac88e21302bd465a058a6277540dced38b42e1aad996185aae34b
-
Filesize
8B
MD59e3999a21e3677f49a884cee1582bba1
SHA15834d244f830793441248d862e9c372377a1ed3f
SHA256912c27e80f8a3dafb7feea03e5398d34e85981abbfe135af70f3f8db1274a56a
SHA512cb5938daf2fd818fffdd4c7c5c7352b51369e6b20558d10b253f4332bfde08724c0adddd58c1c9f260e27769acbe570faa2cca0bc722fe6c6282f4eeb3b4f208
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
282KB
MD59704acf70f601607084200c2b8f24146
SHA1f8d29c3f73e71fabd9d3835c04603fa5fd00c805
SHA2568e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67
SHA51231f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1