Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Resource
win7-20230712-en
General
-
Target
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
-
Size
13.6MB
-
MD5
d69c7e8a72ac1862676f3b1dad3b040f
-
SHA1
f25b9fad59131babc9581d769921e160cb340366
-
SHA256
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f
-
SHA512
37d996749076277bde69c0b513711703472d0b14979024bd8eaf91f5352ab1483c9c25ea3677c7109d3a23ebf2318edbea17332c99faa2fe999a7616c6d228c8
-
SSDEEP
393216:m7aA9iNATLFrUaE+gsevy5nU9uffWER6o4wX:OkNCLFrRXgjy5nU9ufjR6k
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4948-139-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4948-141-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4948-140-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3364-148-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3364-150-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4948-153-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3364-157-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-166-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-173-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2412-176-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 16 IoCs
resource yara_rule behavioral2/memory/4948-139-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4948-141-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4948-140-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3364-148-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3364-149-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3364-150-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4948-153-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3364-157-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023216-163.dat family_gh0strat behavioral2/memory/2412-166-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023216-171.dat family_gh0strat behavioral2/files/0x0006000000023216-170.dat family_gh0strat behavioral2/memory/2412-173-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2412-176-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0006000000023216-297.dat family_gh0strat behavioral2/files/0x0006000000023216-301.dat family_gh0strat -
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe:*:enabled:@shell32.dll,-1" 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611625.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 4948 svchost.exe 3364 TXPlatforn.exe 2412 TXPlatforn.exe 4748 svchos.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5068 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 5 IoCs
pid Process 4748 svchos.exe 4784 svchost.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1192 svchost.exe 5068 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral2/memory/4948-137-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4948-139-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4948-141-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4948-140-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3364-146-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3364-148-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3364-149-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3364-150-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4948-153-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3364-157-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-166-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-173-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2412-176-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3040-194-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-200-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-198-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-202-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-203-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-207-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-211-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-213-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-216-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-218-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-220-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-222-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-237-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-259-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-270-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-274-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-276-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-278-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-280-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-282-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-284-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-286-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-288-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-290-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3040-295-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240611625.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\HPSocket4C.dll HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification \??\c:\windows\HPSocket4C.dll HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1468 4784 WerFault.exe 85 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3624 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2412 TXPlatforn.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4948 svchost.exe Token: SeLoadDriverPrivilege 2412 TXPlatforn.exe Token: SeDebugPrivilege 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe Token: 33 2412 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2412 TXPlatforn.exe Token: 33 2412 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2412 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3912 wrote to memory of 4948 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 82 PID 3912 wrote to memory of 4948 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 82 PID 3912 wrote to memory of 4948 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 82 PID 4948 wrote to memory of 3084 4948 svchost.exe 84 PID 4948 wrote to memory of 3084 4948 svchost.exe 84 PID 4948 wrote to memory of 3084 4948 svchost.exe 84 PID 3364 wrote to memory of 2412 3364 TXPlatforn.exe 88 PID 3364 wrote to memory of 2412 3364 TXPlatforn.exe 88 PID 3364 wrote to memory of 2412 3364 TXPlatforn.exe 88 PID 3912 wrote to memory of 4748 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 87 PID 3912 wrote to memory of 4748 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 87 PID 3912 wrote to memory of 4748 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 87 PID 3084 wrote to memory of 3624 3084 cmd.exe 90 PID 3084 wrote to memory of 3624 3084 cmd.exe 90 PID 3084 wrote to memory of 3624 3084 cmd.exe 90 PID 3912 wrote to memory of 3040 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 91 PID 3912 wrote to memory of 3040 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 91 PID 3912 wrote to memory of 3040 3912 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 91 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 604 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 684 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 804 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 8 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 828 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 13 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 836 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 9 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 924 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 12 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 976 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 11 PID 3040 wrote to memory of 404 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 10 PID 3040 wrote to memory of 404 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 10 PID 3040 wrote to memory of 404 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 10 PID 3040 wrote to memory of 404 3040 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 10
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:836
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:404
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3772
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3856
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3652
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3488
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3556
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:5048
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:920
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:2768
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2720
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4916
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:924
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1108
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1392
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2384
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3324
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"2⤵
- Modifies firewall policy service
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul4⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2624
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
PID:3624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exeC:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4648
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2640
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:1936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1712
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:1516
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 6042⤵
- Program crash
PID:1468
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 47841⤵PID:3384
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611625.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
Filesize
1.7MB
MD536cd7c2f720111cd4ef41e3b5f0db256
SHA12bd2af69331c5408eeaf23fddd505c58650cdaa9
SHA25623d9db3453f1434a943f3945e0546a7fefad5b75bc04dd7b8f7899172b10f1ff
SHA5128216b4065b23c8475ad3e5badcabe1dc91fc3eaf5e504bc0ed0a60658067bc5526310594cb7374715f5ffdf5bb5d858bb6e0c7c86445eb5a64939268e2056b17
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
2.1MB
MD5c091a823c41bb5bc6c5a1ab6c926504c
SHA17b358a9211f8f5e3ce22f38075caf605fc4d2032
SHA256c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4
SHA512742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d
-
Filesize
2.1MB
MD5c091a823c41bb5bc6c5a1ab6c926504c
SHA17b358a9211f8f5e3ce22f38075caf605fc4d2032
SHA256c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4
SHA512742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e