Analysis
-
max time kernel
153s -
max time network
24s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe
-
Size
65KB
-
MD5
5326329820103eddbd231b1898816204
-
SHA1
77557dd9115aa0be7b509b301a526a4234496e37
-
SHA256
aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5
-
SHA512
534de02ead299dcdec9cc1aac244a4afe6f1c1b891948aae62e1419c0242ddea9999d0885eb166c6b76a1a068a54ca9ebe3bb6ec239fa4c7348c6ac28b2b1af9
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\DAC840-Readme.txt
Family
netwalker
Ransom Note
Hi!
Your files are encrypted.
All encrypted files for this computer has extension: .dac840
--
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting/shutdown will cause you to lose files without the possibility of recovery.
--
Our encryption algorithms are very strong and your files are very well protected,
the only way to get your files back is to cooperate with us and get the decrypter program.
Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself
to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits,
not to mention the company reputation and loosing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how
fast we both can find an agreement without getting this incident public.
--
Steps to get access on our website:
1.Download and install tor-browser: https://torproject.org/
2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
3.Put your personal code in the input form:
{code_dac840:
Vuzqs0I7CS8JxO1mJWFio9EvAZ3nf0Pf3cXg/DXROdkOMTNQEo
CaFKN5Z9bfwUj3WilFawWhSNRj6lAYVDVC7F63wLda+t8yurP5
y5dAyNrVdN0UJV8himE1qQEG4+WdqkRjpIob597Yesxeq0nmG6
qC9WmzOhNMQ/crHFyEOP89OujelzqAZifTMZtgd8+DTEAaj7lD
EsHFqY1fDPWxxc29tTnyooHXaAuIK72h4vT5x6xI5RGOu6n4iq
TDb7hEBbRmTkhQZEFpOoK8fWk0horeUjOuj+rOpQ==}
URLs
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.bfc aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\DAC840-Readme.txt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\7-Zip\readme.txt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\LICENSE aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\DAC840-Readme.txt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\DAC840-Readme.txt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Maple.gif aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Paper.thmx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216724.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\7-Zip\descript.ion aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32.XLL aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Issues.accdt aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.GIF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe Token: SeImpersonatePrivilege 524 aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe"C:\Users\Admin\AppData\Local\Temp\aac855c95b93a7059e4d28ca7527e8ff539b03ee6ac96e8e140f43784f09b7c5.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524