Analysis
-
max time kernel
4294204s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe
Resource
win10v2004-en-20220113
General
-
Target
dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe
-
Size
1.1MB
-
MD5
be99e3d9cec624afe102e52ddb8be793
-
SHA1
f28bc0e2cfbe1f0e11317e19318334e50016794b
-
SHA256
dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc
-
SHA512
9c416206c4fd843b6b3e8530c53eed098a7246b9f8bc3916d745c73cc65766b9bd217ae644234cb106a5feb2a8206696aa571e68ecc543636aeb1e7e64541731
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\DebugUnlock.tiff dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
resource yara_rule behavioral1/memory/1664-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1664-57-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\61C1AA2A61C1AA2A.bmp" dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\BackupTrace.cr2 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\RSSFeeds.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jre7\README.txt dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1532 1208 WerFault.exe 12 -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 296 vssadmin.exe 1616 vssadmin.exe 1772 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1136 vssvc.exe Token: SeRestorePrivilege 1136 vssvc.exe Token: SeAuditPrivilege 1136 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1664 wrote to memory of 296 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 29 PID 1664 wrote to memory of 296 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 29 PID 1664 wrote to memory of 296 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 29 PID 1664 wrote to memory of 296 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 29 PID 1664 wrote to memory of 1616 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 33 PID 1664 wrote to memory of 1616 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 33 PID 1664 wrote to memory of 1616 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 33 PID 1664 wrote to memory of 1616 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 33 PID 1664 wrote to memory of 1772 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 35 PID 1664 wrote to memory of 1772 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 35 PID 1664 wrote to memory of 1772 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 35 PID 1664 wrote to memory of 1772 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 35 PID 1664 wrote to memory of 540 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 37 PID 1664 wrote to memory of 540 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 37 PID 1664 wrote to memory of 540 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 37 PID 1664 wrote to memory of 540 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 37 PID 540 wrote to memory of 1500 540 cmd.exe 39 PID 540 wrote to memory of 1500 540 cmd.exe 39 PID 540 wrote to memory of 1500 540 cmd.exe 39 PID 540 wrote to memory of 1500 540 cmd.exe 39 PID 1664 wrote to memory of 608 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 41 PID 1664 wrote to memory of 608 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 41 PID 1664 wrote to memory of 608 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 41 PID 1664 wrote to memory of 608 1664 dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe 41 PID 608 wrote to memory of 928 608 cmd.exe 43 PID 608 wrote to memory of 928 608 cmd.exe 43 PID 608 wrote to memory of 928 608 cmd.exe 43 PID 608 wrote to memory of 928 608 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe"C:\Users\Admin\AppData\Local\Temp\dfa8f8fa060226161b3f4a00844196cb883e274d22f6623196553c41244a93fc.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:296
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1616
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:928
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1208 -s 18081⤵
- Program crash
PID:1532