Analysis
-
max time kernel
152s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 19:40
Static task
static1
Behavioral task
behavioral1
Sample
c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe
-
Size
29KB
-
MD5
f9fcf46f677082a2f55c146aa44d245d
-
SHA1
81beb90b1ce4b45e52fe6ea0a25e53eb79935e21
-
SHA256
c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267
-
SHA512
ea3169fc06052eda4b181ce7770345f3ae600946eeef5d857ef3e040457f84ca3b8b2064d0f8eb4e8c82debe75d9900ba2ce00d6b31e5237aa332c42d9d47eb0
-
SSDEEP
768:D3rnGHcFIKtK3y89pXdqKIsG4qTDMqR7AtmqDgfj70f:TrGmt2y8kLDMqNANgX0f
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1812 secsrvrc.exe 1860 secsrvrc.exe 1288 secsrvrc.exe 240 secsrvrc.exe 2036 secsrvrc.exe 1056 secsrvrc.exe 860 secsrvrc.exe 2044 secsrvrc.exe 1644 secsrvrc.exe 288 secsrvrc.exe 1408 secsrvrc.exe 1732 secsrvrc.exe 1988 secsrvrc.exe 1924 secsrvrc.exe 864 secsrvrc.exe 1076 secsrvrc.exe 1596 secsrvrc.exe 1600 secsrvrc.exe 548 secsrvrc.exe 1844 secsrvrc.exe 1868 secsrvrc.exe 944 secsrvrc.exe 1416 secsrvrc.exe 1204 secsrvrc.exe 1584 secsrvrc.exe 1556 secsrvrc.exe 2004 secsrvrc.exe 1756 secsrvrc.exe 316 secsrvrc.exe 568 secsrvrc.exe 1048 secsrvrc.exe 1524 secsrvrc.exe 1984 secsrvrc.exe 1064 secsrvrc.exe 820 secsrvrc.exe 972 secsrvrc.exe 1208 secsrvrc.exe 1652 secsrvrc.exe 1104 secsrvrc.exe 1620 secsrvrc.exe 912 secsrvrc.exe 1688 secsrvrc.exe 1744 secsrvrc.exe 904 secsrvrc.exe 1640 secsrvrc.exe 1992 secsrvrc.exe 1436 secsrvrc.exe 1784 secsrvrc.exe 1332 secsrvrc.exe 1856 secsrvrc.exe 1736 secsrvrc.exe 1924 secsrvrc.exe 1120 secsrvrc.exe 1600 secsrvrc.exe 1376 secsrvrc.exe 828 secsrvrc.exe 1696 secsrvrc.exe 1780 secsrvrc.exe 1928 secsrvrc.exe 1952 secsrvrc.exe 1748 secsrvrc.exe 1528 secsrvrc.exe 672 secsrvrc.exe 1948 secsrvrc.exe -
Loads dropped DLL 64 IoCs
pid Process 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 1812 secsrvrc.exe 1812 secsrvrc.exe 1860 secsrvrc.exe 1860 secsrvrc.exe 1288 secsrvrc.exe 1288 secsrvrc.exe 240 secsrvrc.exe 240 secsrvrc.exe 2036 secsrvrc.exe 2036 secsrvrc.exe 1056 secsrvrc.exe 1056 secsrvrc.exe 860 secsrvrc.exe 860 secsrvrc.exe 2044 secsrvrc.exe 2044 secsrvrc.exe 1644 secsrvrc.exe 1644 secsrvrc.exe 288 secsrvrc.exe 288 secsrvrc.exe 1408 secsrvrc.exe 1408 secsrvrc.exe 1732 secsrvrc.exe 1732 secsrvrc.exe 1988 secsrvrc.exe 1988 secsrvrc.exe 1924 secsrvrc.exe 1924 secsrvrc.exe 864 secsrvrc.exe 864 secsrvrc.exe 1076 secsrvrc.exe 1076 secsrvrc.exe 1596 secsrvrc.exe 1596 secsrvrc.exe 1600 secsrvrc.exe 1600 secsrvrc.exe 548 secsrvrc.exe 548 secsrvrc.exe 1844 secsrvrc.exe 1844 secsrvrc.exe 1868 secsrvrc.exe 1868 secsrvrc.exe 944 secsrvrc.exe 944 secsrvrc.exe 1416 secsrvrc.exe 1416 secsrvrc.exe 1204 secsrvrc.exe 1204 secsrvrc.exe 1584 secsrvrc.exe 1584 secsrvrc.exe 1556 secsrvrc.exe 1556 secsrvrc.exe 2004 secsrvrc.exe 2004 secsrvrc.exe 1756 secsrvrc.exe 1756 secsrvrc.exe 316 secsrvrc.exe 316 secsrvrc.exe 568 secsrvrc.exe 568 secsrvrc.exe 1048 secsrvrc.exe 1048 secsrvrc.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\secsrvrc = "C:\\Windows\\system32\\secsrvrc.exe" Process not Found -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Impersonate = "0" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Impersonate = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Shutdown = "WLEShutdown" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" secsrvrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Lock = "WLELock" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Asynchronous = "0" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StartScreenSaver = "WLEStartScreenSaver" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StartScreenSaver = "WLEStartScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logon = "WLELogon" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Lock = "WLELock" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Lock = "WLELock" secsrvrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StartScreenSaver = "WLEStartScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Shutdown = "WLEShutdown" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logon = "WLELogon" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StartScreenSaver = "WLEStartScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc secsrvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Logoff = "WLELogoff" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc\DllName = "secsrvrc.dll" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found File created C:\Windows\SysWOW64\secsrvrc.exe secsrvrc.exe File created C:\Windows\SysWOW64\secsrvrc.exe Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 364 wrote to memory of 1812 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 26 PID 364 wrote to memory of 1812 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 26 PID 364 wrote to memory of 1812 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 26 PID 364 wrote to memory of 1812 364 c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe 26 PID 1812 wrote to memory of 1860 1812 secsrvrc.exe 27 PID 1812 wrote to memory of 1860 1812 secsrvrc.exe 27 PID 1812 wrote to memory of 1860 1812 secsrvrc.exe 27 PID 1812 wrote to memory of 1860 1812 secsrvrc.exe 27 PID 1860 wrote to memory of 1288 1860 secsrvrc.exe 28 PID 1860 wrote to memory of 1288 1860 secsrvrc.exe 28 PID 1860 wrote to memory of 1288 1860 secsrvrc.exe 28 PID 1860 wrote to memory of 1288 1860 secsrvrc.exe 28 PID 1288 wrote to memory of 240 1288 secsrvrc.exe 29 PID 1288 wrote to memory of 240 1288 secsrvrc.exe 29 PID 1288 wrote to memory of 240 1288 secsrvrc.exe 29 PID 1288 wrote to memory of 240 1288 secsrvrc.exe 29 PID 240 wrote to memory of 2036 240 secsrvrc.exe 30 PID 240 wrote to memory of 2036 240 secsrvrc.exe 30 PID 240 wrote to memory of 2036 240 secsrvrc.exe 30 PID 240 wrote to memory of 2036 240 secsrvrc.exe 30 PID 2036 wrote to memory of 1056 2036 secsrvrc.exe 31 PID 2036 wrote to memory of 1056 2036 secsrvrc.exe 31 PID 2036 wrote to memory of 1056 2036 secsrvrc.exe 31 PID 2036 wrote to memory of 1056 2036 secsrvrc.exe 31 PID 1056 wrote to memory of 860 1056 secsrvrc.exe 32 PID 1056 wrote to memory of 860 1056 secsrvrc.exe 32 PID 1056 wrote to memory of 860 1056 secsrvrc.exe 32 PID 1056 wrote to memory of 860 1056 secsrvrc.exe 32 PID 860 wrote to memory of 2044 860 secsrvrc.exe 33 PID 860 wrote to memory of 2044 860 secsrvrc.exe 33 PID 860 wrote to memory of 2044 860 secsrvrc.exe 33 PID 860 wrote to memory of 2044 860 secsrvrc.exe 33 PID 2044 wrote to memory of 1644 2044 secsrvrc.exe 34 PID 2044 wrote to memory of 1644 2044 secsrvrc.exe 34 PID 2044 wrote to memory of 1644 2044 secsrvrc.exe 34 PID 2044 wrote to memory of 1644 2044 secsrvrc.exe 34 PID 1644 wrote to memory of 288 1644 secsrvrc.exe 35 PID 1644 wrote to memory of 288 1644 secsrvrc.exe 35 PID 1644 wrote to memory of 288 1644 secsrvrc.exe 35 PID 1644 wrote to memory of 288 1644 secsrvrc.exe 35 PID 288 wrote to memory of 1408 288 secsrvrc.exe 36 PID 288 wrote to memory of 1408 288 secsrvrc.exe 36 PID 288 wrote to memory of 1408 288 secsrvrc.exe 36 PID 288 wrote to memory of 1408 288 secsrvrc.exe 36 PID 1408 wrote to memory of 1732 1408 secsrvrc.exe 37 PID 1408 wrote to memory of 1732 1408 secsrvrc.exe 37 PID 1408 wrote to memory of 1732 1408 secsrvrc.exe 37 PID 1408 wrote to memory of 1732 1408 secsrvrc.exe 37 PID 1732 wrote to memory of 1988 1732 secsrvrc.exe 38 PID 1732 wrote to memory of 1988 1732 secsrvrc.exe 38 PID 1732 wrote to memory of 1988 1732 secsrvrc.exe 38 PID 1732 wrote to memory of 1988 1732 secsrvrc.exe 38 PID 1988 wrote to memory of 1924 1988 secsrvrc.exe 39 PID 1988 wrote to memory of 1924 1988 secsrvrc.exe 39 PID 1988 wrote to memory of 1924 1988 secsrvrc.exe 39 PID 1988 wrote to memory of 1924 1988 secsrvrc.exe 39 PID 1924 wrote to memory of 864 1924 secsrvrc.exe 40 PID 1924 wrote to memory of 864 1924 secsrvrc.exe 40 PID 1924 wrote to memory of 864 1924 secsrvrc.exe 40 PID 1924 wrote to memory of 864 1924 secsrvrc.exe 40 PID 864 wrote to memory of 1076 864 secsrvrc.exe 41 PID 864 wrote to memory of 1076 864 secsrvrc.exe 41 PID 864 wrote to memory of 1076 864 secsrvrc.exe 41 PID 864 wrote to memory of 1076 864 secsrvrc.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe"C:\Users\Admin\AppData\Local\Temp\c1ba69880bc3be0ddb6ce94f89d692c8bffb154bbef375769dfb0b4e61502267.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:1076 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe33⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe34⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe35⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe36⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe37⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe40⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe42⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe43⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe44⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe45⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe46⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe47⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe48⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe49⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe50⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe51⤵
- Executes dropped EXE
- Modifies WinLogon
PID:1856 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe52⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe53⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe54⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe55⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe56⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe57⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe58⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe59⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe60⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe61⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe62⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe64⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe65⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe66⤵PID:2036
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe67⤵PID:1692
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe68⤵PID:1584
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe69⤵PID:1664
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe70⤵PID:1520
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe71⤵PID:1644
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe72⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe73⤵PID:1192
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe74⤵PID:688
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe75⤵PID:820
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe76⤵PID:1208
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe77⤵PID:1956
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe78⤵PID:1460
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe79⤵PID:1720
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe80⤵PID:1760
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe81⤵PID:632
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe82⤵PID:928
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe83⤵PID:1972
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe84⤵PID:1092
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe85⤵PID:2016
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe86⤵PID:1920
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe87⤵PID:1504
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe88⤵
- Adds Run key to start application
PID:364 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe89⤵PID:320
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe90⤵PID:832
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe91⤵PID:944
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe92⤵PID:1456
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe93⤵PID:1844
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe94⤵
- Adds Run key to start application
PID:1764 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe95⤵PID:1600
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe96⤵PID:240
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe97⤵PID:1576
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe98⤵
- Modifies WinLogon
PID:560 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe99⤵PID:1780
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe100⤵
- Modifies WinLogon
PID:1416 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe101⤵PID:1476
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe102⤵PID:1868
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe103⤵PID:1288
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe104⤵PID:1628
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe105⤵PID:1680
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe106⤵PID:1796
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe107⤵PID:1708
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe108⤵PID:1064
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe109⤵PID:1572
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe110⤵PID:1524
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe111⤵PID:1940
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe112⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe113⤵PID:1116
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe114⤵PID:972
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe115⤵PID:764
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe116⤵PID:2020
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe117⤵PID:1256
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe118⤵PID:612
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe119⤵PID:1080
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe120⤵PID:1232
-
C:\Windows\SysWOW64\secsrvrc.exeC:\Windows\system32\secsrvrc.exe121⤵PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-