resource	yara_rule
behavioral4/memory/1912-0-0x0000000001280000-0x00000000012AA000-memory.dmp	family_chaos
behavioral4/files/0x000800000001222c-6.dat	family_chaos
behavioral4/memory/2404-7-0x0000000000C80000-0x0000000000CAA000-memory.dmp	family_chaos
behavioral4/memory/2404-10-0x000000001AB70000-0x000000001ABF0000-memory.dmp	family_chaos

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt	svchost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lr2tvgljg.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	svchost.exe

pid	Process
1912	antivirus.exe
1912	antivirus.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe

description	pid	Process
Token: SeDebugPrivilege	1912	antivirus.exe
Token: SeDebugPrivilege	2404	svchost.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe
Token: 35	988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe
Token: 35	988	WMIC.exe
Token: SeBackupPrivilege	2092	wbengine.exe
Token: SeRestorePrivilege	2092	wbengine.exe
Token: SeSecurityPrivilege	2092	wbengine.exe

description	pid	Process	procid_target
PID 1912 wrote to memory of 2404	1912	antivirus.exe	28
PID 1912 wrote to memory of 2404	1912	antivirus.exe	28
PID 1912 wrote to memory of 2404	1912	antivirus.exe	28
PID 2404 wrote to memory of 1636	2404	svchost.exe	30
PID 2404 wrote to memory of 1636	2404	svchost.exe	30
PID 2404 wrote to memory of 1636	2404	svchost.exe	30
PID 1636 wrote to memory of 2668	1636	cmd.exe	32
PID 1636 wrote to memory of 2668	1636	cmd.exe	32
PID 1636 wrote to memory of 2668	1636	cmd.exe	32
PID 1636 wrote to memory of 988	1636	cmd.exe	35
PID 1636 wrote to memory of 988	1636	cmd.exe	35
PID 1636 wrote to memory of 988	1636	cmd.exe	35
PID 2404 wrote to memory of 276	2404	svchost.exe	37
PID 2404 wrote to memory of 276	2404	svchost.exe	37
PID 2404 wrote to memory of 276	2404	svchost.exe	37
PID 276 wrote to memory of 1700	276	cmd.exe	39
PID 276 wrote to memory of 1700	276	cmd.exe	39
PID 276 wrote to memory of 1700	276	cmd.exe	39
PID 276 wrote to memory of 2852	276	cmd.exe	40
PID 276 wrote to memory of 2852	276	cmd.exe	40
PID 276 wrote to memory of 2852	276	cmd.exe	40
PID 2404 wrote to memory of 2840	2404	svchost.exe	41
PID 2404 wrote to memory of 2840	2404	svchost.exe	41
PID 2404 wrote to memory of 2840	2404	svchost.exe	41
PID 2840 wrote to memory of 2060	2840	cmd.exe	43
PID 2840 wrote to memory of 2060	2840	cmd.exe	43
PID 2840 wrote to memory of 2060	2840	cmd.exe	43
PID 2404 wrote to memory of 984	2404	svchost.exe	47
PID 2404 wrote to memory of 984	2404	svchost.exe	47
PID 2404 wrote to memory of 984	2404	svchost.exe	47

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads