Analysis
-
max time kernel
98s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
-
Size
36KB
-
MD5
aaa69c3544561ed70b13847f6ec763e9
-
SHA1
1e53ed306bd193cffa691f51f940e908ef18cf4b
-
SHA256
cfa46220d1b96e515eedbb82a0285229467f377ede30f732f7f6c48caba3ae1e
-
SHA512
b922f8bdbcc6ee25b635965a24ae87b8d129a8ac7cdd0458e5ddd1c5a62ede6f34b4a5c704fd6a08988f93ab4af424a95b18a563760d8dd584bb5eeba7062016
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
ashfaq.ali@nationalfuels.pw - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe\"" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4768-10-0x0000000006800000-0x0000000006864000-memory.dmp family_agenttesla behavioral2/memory/1388-25-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1388-27-0x000000000043748E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exepid process 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription pid process target process PID 4768 set thread context of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 set thread context of 1916 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 set thread context of 2268 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 set thread context of 3668 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3544 1916 WerFault.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 3484 2268 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exepowershell.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exepid process 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4224 powershell.exe 4236 powershell.exe 436 powershell.exe 928 powershell.exe 1388 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 1388 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 1388 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe 4236 powershell.exe 4224 powershell.exe 436 powershell.exe 928 powershell.exe 4224 powershell.exe 4236 powershell.exe 436 powershell.exe 928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exepowershell.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription pid process Token: SeDebugPrivilege 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 1388 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exepid process 1388 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exedescription pid process target process PID 4768 wrote to memory of 4224 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 4224 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 4224 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 4236 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 4236 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 4236 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 436 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 436 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 436 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 928 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 928 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 928 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe powershell.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1388 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1916 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1916 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1916 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 1916 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 2268 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 2268 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 2268 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 2268 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 3668 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 3668 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 3668 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 3668 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 4392 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 4392 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe PID 4768 wrote to memory of 4392 4768 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.29347.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 881⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8a426f06b7043f7d241c8d7d3e3ad3e6
SHA14538145eb55e18b94dc125a3339619121d498361
SHA2561f4c40840229a75baf42d6d440cbc1659f8f6e20a4911163cff17b1135e0db73
SHA5122b3afe6bae9394419f2dce0efb11acd159af2541580511423b8f9d8bdc97ba4a99e03106909c33756472c73c1abd68909362abe4d2096b2bdf79dc8a8da02d30
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2fce1987d7291a645a63ff3f44ebd06b
SHA1d1a5620dbdd49d2a5fcd40f5ae6be24787820564
SHA256ffe352df05bb8a3ae86ca9b375ae35dc255e645ca7589fa0a5f22fd4ab0c8455
SHA5122c0f262e515aad0e990d401fc93263af4c8c5a5b4a250efc43d7de6213d9fcd34e4c0be681675baa4273ce4d415239dc73044fe1e6c86816d8ed16d984dcd6f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d189141fa0523d10a61f1cf7de702256
SHA1f182eba95831b49d8eebcb3b3980d548c66784af
SHA256edb20218b4ad3789aff5249ab7a4c302b1c5d61eb52ac02b78b46a6cb66c65d2
SHA5127e4ea68075a441d39c75d843d90f8c9c2a03e5bfaa4304e82a231d4ff4d3c672d5452ce3ea35526e8962314a6d2e092a9e6967d41f9bf0f4883d2b320e5f58b3
-
memory/436-14-0x0000000000000000-mapping.dmp
-
memory/436-51-0x0000000001072000-0x0000000001073000-memory.dmpFilesize
4KB
-
memory/436-44-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/436-22-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/436-134-0x0000000001073000-0x0000000001074000-memory.dmpFilesize
4KB
-
memory/436-112-0x000000007EDB0000-0x000000007EDB1000-memory.dmpFilesize
4KB
-
memory/928-131-0x00000000071D3000-0x00000000071D4000-memory.dmpFilesize
4KB
-
memory/928-77-0x0000000008730000-0x0000000008731000-memory.dmpFilesize
4KB
-
memory/928-17-0x0000000000000000-mapping.dmp
-
memory/928-125-0x0000000009900000-0x0000000009901000-memory.dmpFilesize
4KB
-
memory/928-119-0x00000000096C0000-0x00000000096C1000-memory.dmpFilesize
4KB
-
memory/928-69-0x00000000082D0000-0x00000000082D1000-memory.dmpFilesize
4KB
-
memory/928-114-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB
-
memory/928-135-0x0000000009860000-0x0000000009861000-memory.dmpFilesize
4KB
-
memory/928-23-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/928-73-0x00000000086E0000-0x00000000086E1000-memory.dmpFilesize
4KB
-
memory/928-49-0x00000000071D0000-0x00000000071D1000-memory.dmpFilesize
4KB
-
memory/928-52-0x00000000071D2000-0x00000000071D3000-memory.dmpFilesize
4KB
-
memory/928-100-0x000000007E890000-0x000000007E891000-memory.dmpFilesize
4KB
-
memory/928-143-0x0000000009840000-0x0000000009841000-memory.dmpFilesize
4KB
-
memory/928-83-0x0000000009590000-0x00000000095C3000-memory.dmpFilesize
204KB
-
memory/1388-157-0x0000000005131000-0x0000000005132000-memory.dmpFilesize
4KB
-
memory/1388-29-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/1388-129-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/1388-27-0x000000000043748E-mapping.dmp
-
memory/1388-48-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/1388-25-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1916-33-0x000000000043748E-mapping.dmp
-
memory/2268-40-0x000000000043748E-mapping.dmp
-
memory/3484-57-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/3544-56-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/3668-47-0x000000000043748E-mapping.dmp
-
memory/4224-109-0x000000007F1A0000-0x000000007F1A1000-memory.dmpFilesize
4KB
-
memory/4224-133-0x0000000000F33000-0x0000000000F34000-memory.dmpFilesize
4KB
-
memory/4224-15-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4224-32-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/4224-43-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/4224-61-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/4224-53-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/4224-39-0x0000000000F32000-0x0000000000F33000-memory.dmpFilesize
4KB
-
memory/4224-18-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/4224-12-0x0000000000000000-mapping.dmp
-
memory/4236-105-0x000000007E100000-0x000000007E101000-memory.dmpFilesize
4KB
-
memory/4236-20-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/4236-34-0x0000000006EF0000-0x0000000006EF1000-memory.dmpFilesize
4KB
-
memory/4236-16-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4236-36-0x0000000006EF2000-0x0000000006EF3000-memory.dmpFilesize
4KB
-
memory/4236-13-0x0000000000000000-mapping.dmp
-
memory/4236-132-0x0000000006EF3000-0x0000000006EF4000-memory.dmpFilesize
4KB
-
memory/4768-42-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/4768-2-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4768-11-0x00000000068E0000-0x00000000068E1000-memory.dmpFilesize
4KB
-
memory/4768-10-0x0000000006800000-0x0000000006864000-memory.dmpFilesize
400KB
-
memory/4768-9-0x00000000064A0000-0x00000000064A1000-memory.dmpFilesize
4KB
-
memory/4768-8-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/4768-7-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4768-6-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/4768-5-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/4768-3-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB