Analysis
-
max time kernel
128s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
-
Size
32KB
-
MD5
edeae783c7249315102d03a637fd3257
-
SHA1
22044ad362803278ec491b260e6d34a6342f17f4
-
SHA256
74957e6668e2336b8892c3943890462ee2f7e7782d25b574e8184a3862a1b396
-
SHA512
88f3eee886d178455e516326ffaa7ed6f32d234583be4b10738ae7c0097fe1f503e6c9c5f95107f80ec82bfb236f36372c6d5a7c837c0415240c4ffcc329f202
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
sales1@razorwirefecning.com - Password:
Blessings@12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe\"" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4804-10-0x0000000005AB0000-0x0000000005B14000-memory.dmp family_agenttesla behavioral2/memory/4324-29-0x000000000043749E-mapping.dmp family_agenttesla behavioral2/memory/4324-28-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1996-33-0x000000000043749E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exepid process 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription pid process target process PID 4804 set thread context of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 set thread context of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 set thread context of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 set thread context of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exepid process 844 powershell.exe 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 1164 powershell.exe 1596 powershell.exe 8 powershell.exe 4324 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 4324 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe 844 powershell.exe 1596 powershell.exe 1164 powershell.exe 8 powershell.exe 844 powershell.exe 8 powershell.exe 1596 powershell.exe 1164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exepowershell.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription pid process Token: SeDebugPrivilege 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 4324 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exepid process 4324 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exedescription pid process target process PID 4804 wrote to memory of 844 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 844 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 844 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 8 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 8 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 8 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1164 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1164 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1164 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1596 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1596 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 1596 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe powershell.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4324 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 1996 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4428 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe PID 4804 wrote to memory of 4536 4804 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.19387.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ba67620244c0106c1df4b3dc829180f5
SHA11586076fb0d76ad6be6acbd979e64b1167909a66
SHA25670b7430ef95d7c44ad32a55913b7d2ae4eda7e98213c66caf4f029b14fd3fcc9
SHA512441b088bfcab57a98cb7817f384eb2e2710d563ab53543fc6b2c46d9fb3e6083fa4885da476e70bc51eaa86d96aea63d0d0fa2d1ebc608b2fb518f01cae8c879
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
62c470720e6234e7bdf10f95a192b06d
SHA1a43f37920c6cb1a90a0667917df0b99fdaf3383c
SHA256281257d5e004a9d1fca790e70c4ae2082ac27858ac5369ba71e49ae2621b9b31
SHA5129113cbeef8bfb1555634a1e717596b67d68d60e74259e966e979deaebb021a95822a0fdfa0d444f60c3a68c9fd1e3c1640f7eceeb44b24d8a6ee2b23a1980013
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
21612655e1519167c97ee3e010ff46ad
SHA1fe9bda84d7160c891fc37923f858a4922b6f4f54
SHA25696462492ef0e3adccb06d9e87bdb609408f7ecc7442e25f1bf5f6a7c5735e7a7
SHA51241cafc69aa5efbd69ce56c9b3eea7796860fef623e2f667d64e875db121fd034bc27543d79ffbd2cf8278110277300fb42761fbc3d4fad35dbde163cc11f541f
-
memory/8-120-0x000000007F1F0000-0x000000007F1F1000-memory.dmpFilesize
4KB
-
memory/8-30-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/8-126-0x0000000004F43000-0x0000000004F44000-memory.dmpFilesize
4KB
-
memory/8-116-0x0000000009910000-0x0000000009911000-memory.dmpFilesize
4KB
-
memory/8-112-0x00000000097A0000-0x00000000097A1000-memory.dmpFilesize
4KB
-
memory/8-84-0x00000000097C0000-0x00000000097F3000-memory.dmpFilesize
204KB
-
memory/8-13-0x0000000000000000-mapping.dmp
-
memory/8-48-0x0000000004F42000-0x0000000004F43000-memory.dmpFilesize
4KB
-
memory/8-39-0x0000000008220000-0x0000000008221000-memory.dmpFilesize
4KB
-
memory/8-17-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/8-40-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/8-49-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/844-124-0x000000007E870000-0x000000007E871000-memory.dmpFilesize
4KB
-
memory/844-16-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/844-70-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/844-18-0x00000000070D0000-0x00000000070D1000-memory.dmpFilesize
4KB
-
memory/844-127-0x0000000007213000-0x0000000007214000-memory.dmpFilesize
4KB
-
memory/844-20-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/844-74-0x0000000008AA0000-0x0000000008AA1000-memory.dmpFilesize
4KB
-
memory/844-12-0x0000000000000000-mapping.dmp
-
memory/844-45-0x0000000007212000-0x0000000007213000-memory.dmpFilesize
4KB
-
memory/844-36-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/844-78-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/1164-22-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/1164-52-0x00000000042A0000-0x00000000042A1000-memory.dmpFilesize
4KB
-
memory/1164-133-0x000000007E840000-0x000000007E841000-memory.dmpFilesize
4KB
-
memory/1164-130-0x00000000042A3000-0x00000000042A4000-memory.dmpFilesize
4KB
-
memory/1164-61-0x00000000042A2000-0x00000000042A3000-memory.dmpFilesize
4KB
-
memory/1164-14-0x0000000000000000-mapping.dmp
-
memory/1596-125-0x0000000004E53000-0x0000000004E54000-memory.dmpFilesize
4KB
-
memory/1596-123-0x000000007F860000-0x000000007F861000-memory.dmpFilesize
4KB
-
memory/1596-144-0x0000000008840000-0x0000000008841000-memory.dmpFilesize
4KB
-
memory/1596-60-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/1596-62-0x0000000004E52000-0x0000000004E53000-memory.dmpFilesize
4KB
-
memory/1596-15-0x0000000000000000-mapping.dmp
-
memory/1596-136-0x00000000099F0000-0x00000000099F1000-memory.dmpFilesize
4KB
-
memory/1596-23-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/1596-128-0x0000000009A90000-0x0000000009A91000-memory.dmpFilesize
4KB
-
memory/1996-35-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/1996-33-0x000000000043749E-mapping.dmp
-
memory/4324-134-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4324-31-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4324-158-0x00000000054B1000-0x00000000054B2000-memory.dmpFilesize
4KB
-
memory/4324-57-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4324-29-0x000000000043749E-mapping.dmp
-
memory/4324-28-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4428-41-0x000000000043749E-mapping.dmp
-
memory/4428-46-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4536-54-0x000000000043749E-mapping.dmp
-
memory/4804-9-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4804-8-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4804-11-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4804-65-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/4804-2-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4804-7-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/4804-6-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/4804-5-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/4804-3-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/4804-10-0x0000000005AB0000-0x0000000005B14000-memory.dmpFilesize
400KB