Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
18-03-2022 20:52
Static task
static1
Behavioral task
behavioral1
Sample
19261965.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
19261965.exe
-
Size
694KB
-
MD5
655326a190e7e84ceaad014053d672e3
-
SHA1
f4eff0dad292b3cd06ce9bd9e5870f6ce90d30d1
-
SHA256
a498bd4c418ddfe888fe94ce082ae68b5fa0e3a65a43fcd5c5277646a11df45b
-
SHA512
8a2a610dd171da1b7b6e0a68d643d3cec6c4b952071df36c9aeae75254888513a7609a11b92be6885f2f9fdc3aae8353af9947031c3fb0aa1b53586a29c8951e
Malware Config
Extracted
Family
vidar
Version
50.1
Botnet
565
C2
https://mastodon.online/@k1llerniax
https://koyu.space/@k1llerni2x
Attributes
-
profile_id
565
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1348-136-0x00000000025E0000-0x000000000268B000-memory.dmp family_vidar behavioral2/memory/1348-137-0x0000000000400000-0x00000000008AD000-memory.dmp family_vidar -
Drops file in Windows directory 62 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITA358.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BITA454.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT9F1.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT74B5.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITA6F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITA019.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BITAE5A.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT1783.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT20CD.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT337C.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITF839.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT1753.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITAC83.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITAD5F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT3572.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT7495.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT1D42.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT733B.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT7D72.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITF7AC.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT1CC4.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT7426.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITF8C7.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITF916.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT215B.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT7786.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT3FF5.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITA0B7.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITED69.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT3458.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BITA163.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT1648.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT16F5.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT7717.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITEE35.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\2cd32031792245e69c7777193005916861cbbe94 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT7DE1.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BITAF55.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITFE76.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITA415.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITFEF4.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BIT3610.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BIT3E8D.tmp svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000088c9e49c15a8b020ca9e73daab696112adafb66a3e8c78d5bbad27e91bb09ad8000000000e80000000020000200000008e97cc980fb61eb60b01461ddbdb4040a11dbd36bd13c941fd50316531c95983100d0000f1779f14801e54b3ca3d34c74807a69669c8233f812a0373c3c7383b83d7ee6f397c815c7c3c32e7a9ae7571586cee50c660819ce1e7d8c9082aabcbdd75533dbbc4482e444cb118a603300d7da3e566903197363f0f7d34bc58308f23b8a8a8ee4418250cb30ee1e1b4a794135018511b99c695eec2fa9768066c6dca9709ffb48c6a01f405c006e6d71620552f0608af7f8c760af5d79a74a37a2653b60d3fdcb9e353989f497f68dbb2143ae25daa510bdd7b3870304109eb7aadd677cf5910773515a6bbe19ab0cfd62e8b8d5318df2be5f7e3cde2df9ee389933c3015ce1dbfbcbc9b6a4a91354c5d8958d559fa94e112c20a148a2999903aac821dbc9b1a777d8d8cbba5d1b4c18e21996a5d9c14fac8a9398d8e1d81dd6a272359c4bc828e2fcf7299ab65d7e55ebdd01da85dbc2a6d41070233e521d179b988ef0698390de35b82b84a1b03787e9ec2b336127f680302eda9e79b15280cd7e806f6ab09ce4dcf72a238bf28f61516fccbe430340552684c2ae40c038c32e36a65cfca0ee966e64d1f6fa90ce6db866d067e9ceb3deee5a37747da4fce3e41215e6321ccba9e03cfeb6ebfa1a0be99e90866b4b782e1569d689f25e029f6e22d2001e9e0bd2950c744c35e8858ae6bd8dd8501794a7accb2e614f213983c2309e519da27cb9fbbc548bca3131799fda7170191b2a048f5c5bdd247b7f72edcdc10095311cb5963232477067bbc3637bd4829c7d7c7fd6f13ae53ef097ffc7d6834d10c22a8e329437777cf2681d1569cc4767b83040010e5bd5103c1b9b2e3b98a0f343704270a792f7191fc0e730448d049e8b23aafb99ff60300031c6a8d2eae0df06b24f3e41a934943f21a139feb052272886174a053f729b02ab3bb976411cb8e7d229e24cf5277d977bdb1b8295fd58756d625568d87980dfb52773396b93c46da46a1c43990436cf04ff6c4947701fb5a1121e2ecafde797108a9667c91bfb2b3b1f19a2347219a68f8deaa39acb4361e35c9243935bc8daa04dc2b90fe82728737eb77d263e5cd6d2a6caf7cba2ca2aaa3ff15dd73e15d4867ad6e13b4798355e3bdf4896f3002018470e9969b959610b49414e53789ed981651f031bc187bcc4bbcfd0f0c61a449646e1cfdc49b71387494838628ea7631846e733a4ec13f5bbac65017499c52b8289219b2b4e3fba9a5a0a3d793b7ea449ba2429413358318fe065d60133de99339b1c991b185211fad002e281472d890593cc6a7af199206adbde20587b33e502e08f499d4ae85d2951ff893fa9662224b7e7d60ee69c8df188aca8e458962fe65977aa8ab4f15262ea50ad26029dddf699f54610f0a763db6ba9c78918b035e7d73d6e1913da4aa2d0113a3f9976fecc14c6c5a2a50f88a5320fc7b59e63550dd95f3cdb0c0960e096781cea4dae9495c590bdf2569e941dc93ec8b865a3ecaad07ba26c0848d008fdc0eb666e5fc45ae48ea5dde823aa9c31697660bb105ad9f01d83a8bb2d52a8865030fe868c761f8a9ad6e4d92396fe2a4a6207ea30ddf673f90ab5b745cd55d089a67a6185f26bc10989030730f518614dc5c0a708cafce797412480552f85155cd475f721b311b47c40e0014b168c7d9d9064e5141f51d0c4a1cf2138836aa605a7cf413f428f477d92ea5971f6315c814cdcf928d5260c149e71c87ded94d0c90a8e680d1dd87ed99aed0a8c64b2501a1cdb310a073b4cfdbe6be842e46fc2681228b839caaa6b10e6946a3a88db4b1dd6616b3bc4d93044d1ef955f232be46d7fd6b5329b4a146607d8dedfb6ca786a23fd2c070d37290d10ce35b2d80f6ba239680d44b4b0b4d0a565be2b4f870f686202611b90c1057b68a5b233f4ea331f451a61fc009a9fd7a6bebaad6f3dd660fa3ca4f147d87dd573d4b393f46f30d333abf2ae04463c462ac64141958f3a93d7612a8ac0c2aaa840d34a4005d230d3fe9f6d7f0828faf4d0dca5cabc9047732f73e174d506d90d03e0b8fe98b265601e67da3a62dc930117e92c8930d45bcfc62ade279b46a12e57f5555a83c9a11a7b1f6bbeba5eb31bcd6ab56e2f53158980bfc4e793ab3781e244b65403a76ae8a216effd77190495624eea51897a1fb6cd31e60bdd5197ac109603a3e026f223c61c8d3bcd6dc6ac4cadfd086af7190047b12fabed277abc17ced2627deee16ca2c4f3c684744ce1062d2f868e13dd741f298c4cbbda80005c5eef7e7f09bffae0be4071ebb01660ae9c9ba2fdd69949f1a94fbd4a76f6df571f68e28928acd6ce1d2688c10c203acdf6793aba591c433591e4f97ab5e6788b22849340e311eb9009f1b188b79f187135b224ea792c6087a1f3419be45d889b44edb310ad495755f014159704b9226bc05bf2ba39d34fe63c68eab654b536a103afde09e34b6b2a0e2006e3bce4bf1958f48e2dde7e6e59225553fcd0a33e227e76d367a017e0acc1cf77fd1706cf9da4a32914bda166712935abc61b90b92021bf8e01b9e5802f430fe2d2c995255c1bc5e5b6198488be185ccc041a552ef260ec8f66e615d3b697e039ee4bd5e969066a12236254bdbd666d21e5692a1593f1d919b04e7438fb27b14356b8369f0e2936c07e0e132728fc5375c53180d3296aa9c579c6ed72cb1ccd24d4c5060ab106d3e0c172922ef0737a447bb0ac436dd4e3873d839ad78c10fbbb226d55dca8c40788a7e720eff3e5834e4aef486aa1be7a90f389eda4cf11baa690b7ba42b61c833c0d44168600b0dac10b35e6bd4fc47e8e3f6b9ef24551779b7e795c1e09aed79263c601c1908bf4f3a963eb1bbb25b2c674503d70fa8ca9d867c48ccd2a26232695c9c208ac09a80c621d28c3f5ad00ab686222e6f0abb7f181b52519581d888fcc86643a0943d3d335e23b57e3b66fdaff3e4d17ac7cf14bfcd5231f76c7c1371fcc196bef616951d4896a8bf837545057492b424fe45666b3d114c2ec1216d037b14b8c69161bb1cb7e25b773f1a83e730d8726659738aa39b9f7305f2e827b889f328d478e4db94d44d8c32c0bb97b7759bc48badaba960c2c4a8473c0b713044f59cf748b04cb32aa716c1e5a0f043867bd6e81dde3b42b452b8c880277d7cd235f8588f5dc72f281f362d276a403d36b7f69e52eea6ac6c6e884790c2a86cd89834a45451f9ae76cc3fc4b390b6a364a0a22390b0887d3e1159f76c3bad60c867a56cb390198f6c5953ba85eca837495ac9499c365bf05a1cf9e36a1acc39dd5fdeb49cca71d442e4690497d7a9e9fd0ec7719ea9d98a4b5cd4f87b458d538b8a198a72a5dbe0b025c838c272937db584f1792b2a9a8d9ebdf72a5146f634806ad059e58e3623cce179760ab9f8e4447bdd5d8cdae156d53eceb604018a89aec7e344979df29da51e5b4798904f5fe604e943d0882c8d11435ff2d0862b9c525933ffde191b505df40d4bef310b5032438335cff8ba7e4f55792a30cd5385768d714006d0a105ce76c7db1180cada37a05e03695a1e508acd2bbd39f64b1b598bdf480a9a575db00340ca9c7b420fb0582ce83947a719b801eda350751496f9136da1a405b82572fb799a11c1193c3545afd97aff132a8e369dcd39bb296957677e162911612a9fed9f5ed288640e846e0df9a7acfae9a8e23cc009a2c1f561e6464cee3257e4391b89e468642ef4eb6fac6d4e782aa03a9f36e633ab38ccae14cbed6812c3d9888b227fc724d3cd2ee7d336629d127fca600d805829c096683b63aa7de1e7cd30a24242bb940049e1454d4f2e1e83b8dae02530f00783d8d9c5e778df510708f6b1de1f9b4607ba78c9cf4197094c256d2035412f378e5bcc04aaf578f8e2107847ddb03764ee13316a740ca363bfc4bafa30c68b36a66df269f861af580b1d97877b1fdf2d4e9a02f45b2d69dcdfa916e76af5820281b457eb812ad49b5f5601435f495f7fb8326acf763974f37b9164f7a510ac8ffda0c5a44bfecefa7e5b59690293607c36635bb909df9757efdef5e53e3a3c8b7bc76b2b708e6b69718426edf6922edcae9baf9d60afdf816c52354c382179cf58706437c0a4436dddbd8958b3d29aa1045b101a02081c062f256ce424e902f64dfec7b82ae7526b421c9237cb55a54b9633b086e82d262b12fc43d1157d3029f2a909c21ed87cdf31ab3183ad3f8dfa7d000ef2a42679102a46bb9e05ceb4c1900c22eecfa2812f7ce1db28ce5fcd20d37c845fa6c01ef80c6411f7e8e3bfaf1facc21f847f3e3cb142c5107b45189d514f765063936a3b251d2649fbbabf054e6c900f484341a1680c28ee25aa8b3b2a8eaa282f6931cc73c82f255e66d3f5afe0a1b2307e3e186227c541fad4385f28d9bf00931d791ff5a467226599d6f7e675493662acf02980f80a6eec33e5f559d332f370673f27f8f04f8f963830b481fd548158443484a8a24f030e81e83d26c52fe0199c7c5dc6fa329a276ca2cb1ed855dcb94e80d707a28b1b315e421012c2621f65542c8b0b37aa3e84ec8572521b75120afc50e0a1bceb3679b0ae8ed2bc13f79dd18b7285ab813492d66fd60836329676df1fe7b15809165e88a34c7828b8bd18c21be834d569397ac6c5fd8e7af64194495e2018d363ffefa7656ee12503a9307989556fb3d380a879fe91ac56dcf519b4e13e6df4f85d0e23ed3215a44917f89f72e081ea43e88bd739503d4a445018d2423040e66983c6250b9aea1a400000000d2b3a2d0e1b63db1490def13131d289448c1aa1bb063d8cd8418613ac62304b8d2475a094246b85143c179c6529bb00ff5ff395206320f4652e1385ecbb8b36 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005DE194BDB" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005DE194BDB = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000f4cc4061781061aeb903b4d6c4a3d9aca5be3f23a980c83aab266961474de0be000000000e80000000020000200000002bb4fb37243bd85caa98434da1803c04a622d7dec47f2ef97cca6f1eb764a945800000007fb192e98d950579a467b235e31c6c812088cf507bb003e67e2f5748aeaeec5a897f985a66ecfaabd389c5b053f5c218833fd4fe44c538a2325ecebe00ba5b5f37dd2e80e4e8d6095b55dfd498ec8732a2106b3ca90e074ec612059832510889c671b9c40b0e0467ea8493f56551bc18fc898cba776357eb1caa24e4ecacc39d4000000082680cbb8a0c441ece2e5c64e2af199b159a8b26592cf403fa61024f78f7897a0f575e05ab931aca8b174a0123ed4c21fa7fb24c71aa81631fb24d5bf2c7a12b svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19261965.exe"C:\Users\Admin\AppData\Local\Temp\19261965.exe"1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1348-134-0x0000000000B5D000-0x0000000000BC8000-memory.dmpFilesize
428KB
-
memory/1348-135-0x0000000000B5D000-0x0000000000BC8000-memory.dmpFilesize
428KB
-
memory/1348-136-0x00000000025E0000-0x000000000268B000-memory.dmpFilesize
684KB
-
memory/1348-137-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1480-138-0x000001C2FE9A0000-0x000001C2FE9B0000-memory.dmpFilesize
64KB
-
memory/1480-139-0x000001C2FF260000-0x000001C2FF270000-memory.dmpFilesize
64KB
-
memory/1480-140-0x000001C2FF820000-0x000001C2FF824000-memory.dmpFilesize
16KB
-
memory/1480-141-0x000001C2FFBB0000-0x000001C2FFBB4000-memory.dmpFilesize
16KB
-
memory/1480-142-0x000001C2FFBB0000-0x000001C2FFBB4000-memory.dmpFilesize
16KB
-
memory/1480-143-0x000001C2FFC80000-0x000001C2FFC84000-memory.dmpFilesize
16KB
-
memory/1480-144-0x000001C2FFC80000-0x000001C2FFC84000-memory.dmpFilesize
16KB
-
memory/1480-145-0x000001C2FFD50000-0x000001C2FFD54000-memory.dmpFilesize
16KB
-
memory/1480-146-0x000001C2FFC80000-0x000001C2FFC84000-memory.dmpFilesize
16KB