Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe
Resource
win10v2004-20220414-en
General
-
Target
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe
-
Size
1.3MB
-
MD5
c286c0d39d10063eb293498f47e2c339
-
SHA1
1564e28b7b9fe7d4466a91b4ed5f81204f29180e
-
SHA256
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e
-
SHA512
6aa90311c383448b33f3fdc0e5a6ad8479ffb71a1e843b257426a84c98d4462183c3c50c6ff2b99ee259b99d0a845c70f0e11b5f6e961d5a9b5392acecc2ea54
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
resource yara_rule behavioral1/memory/780-56-0x0000000000400000-0x000000000060B000-memory.dmp upx behavioral1/memory/780-58-0x0000000000400000-0x000000000060B000-memory.dmp upx behavioral1/memory/780-59-0x0000000000400000-0x000000000060B000-memory.dmp upx behavioral1/memory/780-61-0x0000000000400000-0x000000000060B000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogo.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1068 vssadmin.exe 1532 vssadmin.exe 472 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exepid process 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exepid process 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 300 vssvc.exe Token: SeRestorePrivilege 300 vssvc.exe Token: SeAuditPrivilege 300 vssvc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exepid process 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.execmd.exedescription pid process target process PID 780 wrote to memory of 472 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 472 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 472 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 472 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1068 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1068 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1068 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1068 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1532 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1532 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1532 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1532 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe vssadmin.exe PID 780 wrote to memory of 1892 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe cmd.exe PID 780 wrote to memory of 1892 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe cmd.exe PID 780 wrote to memory of 1892 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe cmd.exe PID 780 wrote to memory of 1892 780 3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe cmd.exe PID 1892 wrote to memory of 976 1892 cmd.exe chcp.com PID 1892 wrote to memory of 976 1892 cmd.exe chcp.com PID 1892 wrote to memory of 976 1892 cmd.exe chcp.com PID 1892 wrote to memory of 976 1892 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe"C:\Users\Admin\AppData\Local\Temp\3e2f7f29ee60fbea9fbc392b36617f7ed736fd0dc9f83d245f56fbe41f2a3f7e.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:472 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1068 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:976
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:300