Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 13:52
Behavioral task
behavioral1
Sample
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe
Resource
win10v2004-20220414-en
General
-
Target
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe
-
Size
12.1MB
-
MD5
c8448c78c6b5c6000dd307789504cd31
-
SHA1
8faa9fada9e4d46bfac45fbb87d07c58956e2b57
-
SHA256
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a
-
SHA512
e46aeb944136f73fde773c07ead13819042ba9910528d17f29cdb3773fa7bf7bb03659d66771293ed197fb7c19efa6006a4d9b1f017f709b8b22a8424dc38dc0
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchost.exe xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1912 svchost.exe -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe" c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Drops file in System32 directory 64 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process File created C:\Windows\SysWOW64\CertEnrollCtrl.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\doskey.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\DpiScaling.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\gpresult.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\regsvr32.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\wininit.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\sfc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\compact.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\dcomcnfg.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\diantz.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\hdwwiz.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\NAPSTAT.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\recover.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\ftp.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\icardagt.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\iexpress.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\AdapterTroubleshooter.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\label.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\LocationNotifications.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\ReAgentc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\sc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\migwiz\MigSetup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\certreq.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\nslookup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\reg.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\typeperf.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\migwiz\migwiz.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\at.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\autofmt.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\InfDefaultInstall.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\TCPSVCS.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\eventcreate.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\icacls.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\iscsicli.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\SystemPropertiesPerformance.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\TpmInit.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\cipher.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\dpapimig.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\PING.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\PresentationHost.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\sdchange.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\com\MigRegDB.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\cttunesvr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\dplaysvr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\rasautou.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\RMActivate_ssp.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\unregmp2.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\MuiUnattend.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\rrinstaller.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\regini.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\shrpubw.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\wecutil.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\ctfmon.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\drvinst.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\net.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\timeout.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\tracerpt.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\verifier.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\SysWOW64\fsutil.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files\Internet Explorer\ieinstal.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Internet Explorer\ExtExport.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Windows Media Player\wmprph.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files\Windows Journal\PDIALOG.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Internet Explorer\iexplore.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Windows Media Player\wmpenc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Program Files (x86)\Windows Mail\wab.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Drops file in Windows directory 64 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process File created C:\Windows\ehome\Mcx2Prov.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-client_31bf3856ad364e35_6.1.7600.16385_none_c80d81c947c7b794\HelpPane.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\msg.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\ehome\ehshell.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\hh.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\ehome\ehexthost.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhst3g.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018\unlodctr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-xwizard-host-process_31bf3856ad364e35_6.1.7600.16385_none_b4e9027a5234f127\xwizard.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcweblauncher_31bf3856ad364e35_6.1.7600.16385_none_5846a8771b202706\MediaCenterWebLauncher.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_11.2.9600.16428_none_eace14b8d6178cca\SetIEInstalledDate.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\WinMail.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_6.1.7600.16385_none_b70694aa97134f37\rdrleakdiag.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnsvr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_752e3bb068638683\msfeedssync.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.1.7600.16385_none_87a28b30f517e40e\printfilterpipelinesvc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\plasrv.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_brmfcmf.inf_31bf3856ad364e35_6.1.7600.16385_none_6f8740b92fea8e01\BrmfRsmg.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_33e01c5875c2e5cb\iscsicpl.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\subst.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.1.7600.16385_none_622070221822eb39\PurblePlace.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_498d334c14a3b9bb\hwrcomp.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7601.17514_none_b8f2d3e62e76fe08\VSSVC.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_5a9496fc0f35b80b\DWWIN.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PING.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\eventvwr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\ieUnatt.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\replace.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\net.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-proquota_31bf3856ad364e35_6.1.7601.17514_none_85ecfd46a904b22a\proquota.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcalua.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\dialer.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\ARP.EXE c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vssadmin_31bf3856ad364e35_6.1.7600.16385_none_207247174b54af00\vssadmin.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\ehome\ehprivjob.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSSVC.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf\WinMgmt.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\chgusr.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.18010_none_86608c5a70f925bc\taskhost.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_6.1.7601.17514_none_4207fb67165f731a\wbengine.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-calc_31bf3856ad364e35_6.1.7600.16385_none_05b2f2e2346cfea4\calc.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..flicklearningwizard_31bf3856ad364e35_6.1.7600.16385_none_69769fd78b751ad3\FlickLearningWizard.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_c3afa97fae99bbe4\diskraid.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_431b58a8041530aa\openfiles.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe File created C:\Windows\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exesvchost.exedescription pid process Token: SeDebugPrivilege 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe Token: 33 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe Token: SeIncBasePriorityPrivilege 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe Token: SeIncBasePriorityPrivilege 1912 svchost.exe Token: SeLockMemoryPrivilege 1912 svchost.exe Token: SeLockMemoryPrivilege 1912 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exepid process 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription pid process target process PID 1464 wrote to memory of 1912 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe svchost.exe PID 1464 wrote to memory of 1912 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe svchost.exe PID 1464 wrote to memory of 1912 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe svchost.exe PID 1464 wrote to memory of 1912 1464 c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe"C:\Users\Admin\AppData\Local\Temp\c1de9fa13011a8f8705d831ec99f3a6f713dd5cf7d8f9dd5264acaaed036860a.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\config.jsonFilesize
1KB
MD588c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeFilesize
833KB
MD54a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1912-55-0x0000000000000000-mapping.dmp