Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
Resource
win10v2004-20220901-en
General
-
Target
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe
-
Size
51KB
-
MD5
90ca9ef857133b48966dd0bf39fdca1c
-
SHA1
47f948dfdd4b12605a7b658d461419b4d1807446
-
SHA256
3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
-
SHA512
1eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
SSDEEP
768:he6RKrrq1haq/b4548dWS24Pq6a4euUYSIKffx7T1wBWpZdQZur2:hZKrEh9zwlW6a4euUYSIIx7NHd5r2
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 1396 HdAudio.exe 4688 winhv.exe 3056 winhv.exe 2168 HdAudio.exe 400 HdAudio.exe 1120 winhv.exe 4980 winhv.exe 1308 HdAudio.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation HdAudio.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winhv.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cscservice.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation HdAudio.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winhv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe" HdAudio.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3868 set thread context of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 4688 set thread context of 3056 4688 winhv.exe 101 PID 488 set thread context of 4652 488 cscservice.exe 106 PID 1120 set thread context of 4980 1120 winhv.exe 112 -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new winhv.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new winhv.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new cscservice.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new cscservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 1476 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe Token: SeDebugPrivilege 1476 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe Token: SeRestorePrivilege 3820 dw20.exe Token: SeBackupPrivilege 3820 dw20.exe Token: SeBackupPrivilege 3820 dw20.exe Token: SeBackupPrivilege 3820 dw20.exe Token: SeDebugPrivilege 1396 HdAudio.exe Token: SeDebugPrivilege 4688 winhv.exe Token: SeDebugPrivilege 3056 winhv.exe Token: SeBackupPrivilege 1240 dw20.exe Token: SeBackupPrivilege 1240 dw20.exe Token: SeDebugPrivilege 2168 HdAudio.exe Token: SeDebugPrivilege 488 cscservice.exe Token: SeDebugPrivilege 4652 cscservice.exe Token: SeBackupPrivilege 3440 dw20.exe Token: SeBackupPrivilege 3440 dw20.exe Token: SeDebugPrivilege 400 HdAudio.exe Token: SeDebugPrivilege 1120 winhv.exe Token: SeDebugPrivilege 4980 winhv.exe Token: SeBackupPrivilege 1944 dw20.exe Token: SeBackupPrivilege 1944 dw20.exe Token: SeDebugPrivilege 1308 HdAudio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 1460 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 84 PID 3868 wrote to memory of 1460 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 84 PID 3868 wrote to memory of 1460 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 84 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1476 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 86 PID 3868 wrote to memory of 1396 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 87 PID 3868 wrote to memory of 1396 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 87 PID 3868 wrote to memory of 1396 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 87 PID 1476 wrote to memory of 3820 1476 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 88 PID 1476 wrote to memory of 3820 1476 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 88 PID 1476 wrote to memory of 3820 1476 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 88 PID 1396 wrote to memory of 4688 1396 HdAudio.exe 95 PID 1396 wrote to memory of 4688 1396 HdAudio.exe 95 PID 1396 wrote to memory of 4688 1396 HdAudio.exe 95 PID 3868 wrote to memory of 488 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 98 PID 3868 wrote to memory of 488 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 98 PID 3868 wrote to memory of 488 3868 3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe 98 PID 4688 wrote to memory of 2984 4688 winhv.exe 99 PID 4688 wrote to memory of 2984 4688 winhv.exe 99 PID 4688 wrote to memory of 2984 4688 winhv.exe 99 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 4688 wrote to memory of 3056 4688 winhv.exe 101 PID 3056 wrote to memory of 1240 3056 winhv.exe 102 PID 3056 wrote to memory of 1240 3056 winhv.exe 102 PID 3056 wrote to memory of 1240 3056 winhv.exe 102 PID 4688 wrote to memory of 2168 4688 winhv.exe 103 PID 4688 wrote to memory of 2168 4688 winhv.exe 103 PID 4688 wrote to memory of 2168 4688 winhv.exe 103 PID 488 wrote to memory of 1996 488 cscservice.exe 104 PID 488 wrote to memory of 1996 488 cscservice.exe 104 PID 488 wrote to memory of 1996 488 cscservice.exe 104 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 488 wrote to memory of 4652 488 cscservice.exe 106 PID 4652 wrote to memory of 3440 4652 cscservice.exe 107 PID 4652 wrote to memory of 3440 4652 cscservice.exe 107 PID 4652 wrote to memory of 3440 4652 cscservice.exe 107 PID 488 wrote to memory of 400 488 cscservice.exe 108 PID 488 wrote to memory of 400 488 cscservice.exe 108 PID 488 wrote to memory of 400 488 cscservice.exe 108 PID 400 wrote to memory of 1120 400 HdAudio.exe 109 PID 400 wrote to memory of 1120 400 HdAudio.exe 109 PID 400 wrote to memory of 1120 400 HdAudio.exe 109 PID 1120 wrote to memory of 4152 1120 winhv.exe 110 PID 1120 wrote to memory of 4152 1120 winhv.exe 110 PID 1120 wrote to memory of 4152 1120 winhv.exe 110 PID 1120 wrote to memory of 4980 1120 winhv.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"2⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"C:\Users\Admin\AppData\Local\Temp\3923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 15003⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"4⤵PID:2984
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8845⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"3⤵PID:1996
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8844⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"5⤵PID:4152
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8846⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
Filesize
411B
MD5c3d73b66af935816305ac2ae288f36a4
SHA15012a926b3b822db4fb44b24e1e85c09bd90be02
SHA25687039fa7535d10ed8d77529a8720f1d49f6f4638f28c700ed18c9353364d74e5
SHA512958c79b6acaa5799bac691536df44f79d1c997b06a650160cc3f541f07c7dc485e9a02728231b411838d368181aa6488ac284f530de2b905b9f7725a7c06c617
-
Filesize
426B
MD50cfe14dbe1b90ceda426b4635ac719a6
SHA18cc0a7384943d3c2b2f55df4dfeed5ae93e93b15
SHA25691db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039
SHA512cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9
-
Filesize
456B
MD5ad14efc7d4420b3c1e066bbbfb3b2e53
SHA1c587c4008e6ec060e33bb73c4c04149aa3abb476
SHA256e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa
SHA512652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
12KB
MD5296a14988b04c9aee9fa406f9d7e638e
SHA17d00c62bc6d39aad3f8993bf4abfabb4efacd97f
SHA25659afd755756cfe422a4a7d20fa3cc8abe41d09f2f9b655f082720517370effe1
SHA5123ebe0f534bb59b9bde3dca2dc2e878ca077b7b842c4dede29ae8cc812775054c0cc31d03316c6bac879cc3b5d9c1e2bfa300fab9fb845e38729a53c1417738f4
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
51KB
MD590ca9ef857133b48966dd0bf39fdca1c
SHA147f948dfdd4b12605a7b658d461419b4d1807446
SHA2563923e385c04474b95c043dccf366318f837bb331cab5ddbf3e79b3cf68fe61f1
SHA5121eb46fd52d62d6ee0b4d3d323865a294c01b8938635d95639f3042be182cd5e7ea41f4458378aac9eb1939b65fcc3f812c3f04bd9d86126269bd872f39531b60
-
Filesize
514B
MD5b5a1f0df16c60493b62b6f687ccd0ffa
SHA170866c2394781d09c2c300def9a631fce45713de
SHA25665aadffe7d03a563d1ebc0bbe6715c947e9c11296c5e1972f5d5dfa9a0c151c6
SHA51255a0cdd632ab96f5ef46185d039779beb1ba9f6b425c0d6bf21f800f46af115b44402e372298ba2e203b3b15ed64f8bd14e61a92edc986dcf937923176c8525c
-
Filesize
426B
MD50cfe14dbe1b90ceda426b4635ac719a6
SHA18cc0a7384943d3c2b2f55df4dfeed5ae93e93b15
SHA25691db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039
SHA512cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9
-
Filesize
456B
MD5ad14efc7d4420b3c1e066bbbfb3b2e53
SHA1c587c4008e6ec060e33bb73c4c04149aa3abb476
SHA256e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa
SHA512652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb
-
Filesize
514B
MD5b5a1f0df16c60493b62b6f687ccd0ffa
SHA170866c2394781d09c2c300def9a631fce45713de
SHA25665aadffe7d03a563d1ebc0bbe6715c947e9c11296c5e1972f5d5dfa9a0c151c6
SHA51255a0cdd632ab96f5ef46185d039779beb1ba9f6b425c0d6bf21f800f46af115b44402e372298ba2e203b3b15ed64f8bd14e61a92edc986dcf937923176c8525c
-
Filesize
426B
MD50cfe14dbe1b90ceda426b4635ac719a6
SHA18cc0a7384943d3c2b2f55df4dfeed5ae93e93b15
SHA25691db94ffe8276e5beccdb3bb07540bcc94a7f2534df85306802e408b667ff039
SHA512cb4f6484c749d624d1d9099858c67612b002dafb050c92fd82895041f56158472caef90b8e5bc85390712253186c583db0e7025e776b5667a1926b3e014d4cf9
-
Filesize
456B
MD5ad14efc7d4420b3c1e066bbbfb3b2e53
SHA1c587c4008e6ec060e33bb73c4c04149aa3abb476
SHA256e5299b0fa29814029dc5c9314960893ee0afd698aa98b5ac2a6d6c4cba1ccffa
SHA512652cbfc705131ff860449d927cc595165ab10173c86d27319dbaf65034ab20c5f94889edaa7d4d1f54e29f4bd57a102e0174d92f1e880b25116bbc02c72226cb