Analysis
-
max time kernel
95s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:23
Static task
static1
General
-
Target
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
-
Size
3.0MB
-
MD5
f8d5d84914ea87463cb8efbf49a74f55
-
SHA1
9613d02bc94648af72b9b69be6250479164a48a2
-
SHA256
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b
-
SHA512
b43efbf1d722d51ff1cc78086b3a91817ab2d2c0adcb8f37b01aabc679c8310207c890b7e36fd58096de7465cc3ef44fe0140495c129f6ada946bdc50fb27662
-
SSDEEP
49152:6QZAdVyVT9n/Gg0P+WhoCsTKyoZ/Pjb6Kt0rbJEuSLz5xXA:jGdVyVT9nOgmh/sTKlZ6K+mLzA
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240611343.txt family_gh0strat behavioral1/memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
svchos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611343.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 64 IoCs
Processes:
svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exesvchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeTXPlatforn.exesvchost.exesvchos.exesvchos.exesvchost.exesvchos.exesvchos.exesvchos.exesvchost.exeTXPlatforn.exesvchost.exesvchost.exeTXPlatforn.exesvchost.exesvchost.exesvchost.exesvchost.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exesvchost.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exesvchos.exesvchos.exesvchost.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchos.exesvchos.exesvchos.exesvchost.exesvchost.exepid process 4260 svchost.exe 724 TXPlatforn.exe 2256 svchos.exe 4968 TXPlatforn.exe 1972 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 228 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 1584 svchost.exe 4852 TXPlatforn.exe 3016 TXPlatforn.exe 4652 svchos.exe 3940 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2620 svchost.exe 2848 TXPlatforn.exe 2452 TXPlatforn.exe 4372 svchos.exe 4240 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4640 svchost.exe 2796 TXPlatforn.exe 3040 TXPlatforn.exe 2728 svchos.exe 4368 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4908 svchost.exe 3436 svchost.exe 2256 svchost.exe 3944 svchost.exe 1936 svchost.exe 4164 TXPlatforn.exe 1572 svchost.exe 1620 svchos.exe 5084 svchos.exe 5096 svchost.exe 3856 svchos.exe 2268 svchos.exe 1184 svchos.exe 4568 svchost.exe 3884 TXPlatforn.exe 5216 svchost.exe 5208 svchost.exe 5284 TXPlatforn.exe 5352 svchost.exe 5184 svchost.exe 5192 svchost.exe 5200 svchost.exe 5484 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5532 svchos.exe 5736 svchost.exe 5540 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5808 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5828 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5852 svchos.exe 5880 svchos.exe 5888 svchos.exe 5996 svchost.exe 5768 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5940 svchost.exe 5980 svchost.exe 5988 svchost.exe 6004 svchost.exe 6012 svchost.exe 5152 svchos.exe 6132 svchos.exe 3436 svchos.exe 5948 svchost.exe 5956 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exepid process 2256 svchos.exe 2912 svchost.exe 228 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Processes:
resource yara_rule behavioral1/memory/4260-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/724-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exedescription ioc process File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification \??\PhysicalDrive0 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchos.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240611343.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 11 IoCs
Processes:
HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exetaskmgr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面\command HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\command\ = "\\JDeskTray.exe --from=rmenu" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\ = "映射该文件夹到桌面" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Position = "Top" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\Icon = "\\Utils\\mirror.ico" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command\ = "\\DeskAide64.exe --from=rmenu --mirrorPath=\"%1\"" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Icon = "\\Utils\\Install.ico" HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe -
Runs ping.exe 1 TTPs 9 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 980 PING.EXE 4632 PING.EXE 5352 PING.EXE 5940 PING.EXE 6976 PING.EXE 1384 PING.EXE 1896 PING.EXE 6012 PING.EXE 5432 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exetaskmgr.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exepid process 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1972 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1972 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3940 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3940 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4856 taskmgr.exe 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4856 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 4968 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exeTXPlatforn.exetaskmgr.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeIncBasePriorityPrivilege 4260 svchost.exe Token: SeLoadDriverPrivilege 4968 TXPlatforn.exe Token: SeDebugPrivilege 4856 taskmgr.exe Token: SeSystemProfilePrivilege 4856 taskmgr.exe Token: SeCreateGlobalPrivilege 4856 taskmgr.exe Token: SeIncBasePriorityPrivilege 1584 svchost.exe Token: 33 4968 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4968 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2620 svchost.exe Token: SeIncBasePriorityPrivilege 4640 svchost.exe Token: SeIncBasePriorityPrivilege 4908 svchost.exe Token: SeIncBasePriorityPrivilege 5096 svchost.exe Token: SeIncBasePriorityPrivilege 6004 svchost.exe Token: SeIncBasePriorityPrivilege 6672 svchost.exe Token: SeIncBasePriorityPrivilege 1652 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exeHD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchos.exesvchos.exesvchos.exepid process 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4652 svchos.exe 3940 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4372 svchos.exe 4240 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2728 svchos.exe 4368 HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2008 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4292 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2652 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 376 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3424 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2008 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2008 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4292 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2652 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 376 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4292 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2652 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 376 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3424 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3424 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4432 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4432 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4432 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1372 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3120 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2608 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1460 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1372 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3120 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1372 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3120 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3688 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1620 svchos.exe 4704 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4296 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3520 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 5084 svchos.exe 2608 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1460 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4704 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4296 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 2608 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3520 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 1460 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4704 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 4296 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3520 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 180 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 32 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe 3856 svchos.exe 2268 svchos.exe 1184 svchos.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.execmd.exesvchost.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.execmd.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.execmd.exea01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exesvchost.exeTXPlatforn.exedescription pid process target process PID 2000 wrote to memory of 4260 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 2000 wrote to memory of 4260 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 2000 wrote to memory of 4260 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 4260 wrote to memory of 2940 4260 svchost.exe cmd.exe PID 4260 wrote to memory of 2940 4260 svchost.exe cmd.exe PID 4260 wrote to memory of 2940 4260 svchost.exe cmd.exe PID 2000 wrote to memory of 2256 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 2000 wrote to memory of 2256 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 2000 wrote to memory of 2256 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 724 wrote to memory of 4968 724 TXPlatforn.exe TXPlatforn.exe PID 724 wrote to memory of 4968 724 TXPlatforn.exe TXPlatforn.exe PID 724 wrote to memory of 4968 724 TXPlatforn.exe TXPlatforn.exe PID 2000 wrote to memory of 1972 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2000 wrote to memory of 1972 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2000 wrote to memory of 1972 2000 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2940 wrote to memory of 1384 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 1384 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 1384 2940 cmd.exe PING.EXE PID 2912 wrote to memory of 228 2912 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe PID 2912 wrote to memory of 228 2912 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe PID 2912 wrote to memory of 228 2912 svchost.exe Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe PID 2472 wrote to memory of 1584 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 2472 wrote to memory of 1584 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 2472 wrote to memory of 1584 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 1584 wrote to memory of 2508 1584 svchost.exe cmd.exe PID 1584 wrote to memory of 2508 1584 svchost.exe cmd.exe PID 1584 wrote to memory of 2508 1584 svchost.exe cmd.exe PID 4852 wrote to memory of 3016 4852 TXPlatforn.exe TXPlatforn.exe PID 4852 wrote to memory of 3016 4852 TXPlatforn.exe TXPlatforn.exe PID 4852 wrote to memory of 3016 4852 TXPlatforn.exe TXPlatforn.exe PID 2472 wrote to memory of 4652 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 2472 wrote to memory of 4652 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 2472 wrote to memory of 4652 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 2472 wrote to memory of 3940 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2472 wrote to memory of 3940 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2472 wrote to memory of 3940 2472 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 2508 wrote to memory of 980 2508 cmd.exe PING.EXE PID 2508 wrote to memory of 980 2508 cmd.exe PING.EXE PID 2508 wrote to memory of 980 2508 cmd.exe PING.EXE PID 3508 wrote to memory of 2620 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 3508 wrote to memory of 2620 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 3508 wrote to memory of 2620 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 2620 wrote to memory of 180 2620 svchost.exe cmd.exe PID 2620 wrote to memory of 180 2620 svchost.exe cmd.exe PID 2620 wrote to memory of 180 2620 svchost.exe cmd.exe PID 2848 wrote to memory of 2452 2848 TXPlatforn.exe TXPlatforn.exe PID 2848 wrote to memory of 2452 2848 TXPlatforn.exe TXPlatforn.exe PID 2848 wrote to memory of 2452 2848 TXPlatforn.exe TXPlatforn.exe PID 3508 wrote to memory of 4372 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 3508 wrote to memory of 4372 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 3508 wrote to memory of 4372 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchos.exe PID 3508 wrote to memory of 4240 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 3508 wrote to memory of 4240 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 3508 wrote to memory of 4240 3508 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe PID 180 wrote to memory of 4632 180 cmd.exe PING.EXE PID 180 wrote to memory of 4632 180 cmd.exe PING.EXE PID 180 wrote to memory of 4632 180 cmd.exe PING.EXE PID 116 wrote to memory of 4640 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 116 wrote to memory of 4640 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 116 wrote to memory of 4640 116 a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe svchost.exe PID 4640 wrote to memory of 1708 4640 svchost.exe cmd.exe PID 4640 wrote to memory of 1708 4640 svchost.exe cmd.exe PID 4640 wrote to memory of 1708 4640 svchost.exe cmd.exe PID 2796 wrote to memory of 3040 2796 TXPlatforn.exe TXPlatforn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611343.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
-
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeC:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe2⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchos.exe"C:\Users\Admin\AppData\Local\Temp\svchos.exe"1⤵
-
C:\Users\Admin\Desktop\svchos.exe"C:\Users\Admin\Desktop\svchos.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.7MB
MD552250986e17600054933532922dd92f4
SHA1919f0ba79e00f62903bad25420898b104121119d
SHA25656100ecfdacc8d3354cfe80c3e68db4eabf9e582189ac6a3c7a8fffaf245188f
SHA512eb85b98c3f20c1a225acaa7265ba6148146a23da0b73b3e5a0aeb5057a13f24187e3c48f38743cf8c9a294aff48e79318c982e3539189970f2adaac334a4193d
-
C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exeFilesize
1.3MB
MD50180d6e451c4b289bcc4d8be163bd9ad
SHA13f288c137b7d142db11180d2822fe680fdfe85fd
SHA2561a9b3c81a7598f942e9c030bd452bac5a97c7ca528e5f575442a55cf836f02ef
SHA5128fa31cc994b598e2f555341a3b8942d99fee92c9b10f955f9ff13c1a4ab8adec126a9d5fd8103d703171d532725a72ca91cc788dd22d3e77d6e7ab7e54e2ab4c
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
C:\Users\Admin\AppData\Roaming\JianDeskData\config.iniFilesize
59B
MD5b3d02347bfac3cae60e7bcc4e4c9208c
SHA170a6d5704f5494a27495bd85c8c97cdd69cc8bb6
SHA2565794d2f55f3edd9b2a5923693a1b760d9775f8f171f9cd1c6a78da3888cdada3
SHA512f12a5df6cc60eae14cd2b9754e4b30605f119a1d1ab4d94e9ac9063ae5374474e45ece0084cf37b0b123bb173b7fc90e18e89e4edca290f1671a25e7442cf838
-
C:\Users\Admin\AppData\Roaming\JianDeskData\config.iniFilesize
53B
MD5d5607aeae98eeff64e4fa5bae070f679
SHA15772ca574c17b4526a4be72963f480b8acdaddaf
SHA256df91bb7b545c30afaaaea999339fd9d4de80cb6e402e59eaf0ba3725055ddb96
SHA5123ac0f29561e7c5d9c72d227b6797a4885799885f874e2ceb1dcd878053e266c0b4b7b233b42af8caac923ee8775fa5f821a960d29bae8836e64d8f60b4c665fc
-
C:\Users\Admin\Desktop\config.iniFilesize
68B
MD5d118cba0b3c1117e83e08ea5fd4f3965
SHA12b5a796f0be29bb6e0057e786a87e8bcc41f6ad1
SHA256a34382d15f0fb4c059748f4f41a3548b8f424370f81f791fc3faf86439aae312
SHA5124311192d53b2b92271ff6114744ffff69714fd3d4d759cb768cf27fe0499a591bc777861bafb35e3ec65210ba663eee26ea859e7d1220ad4aa5fadef8ce5a57f
-
C:\Users\Admin\Desktop\config.iniFilesize
68B
MD59cf2a8f6b717cc415d5470157f90822b
SHA1a4e789cfc316db549855834de94f98d0258cf2fc
SHA256036ffb8f2e949d21d4e8077416df18566a2ea99fc84f3facb0c732ecc4aa68ce
SHA512df4bf06dd5f708400240e79a165ea1e7a9c3929fcb3183f0302dd07921116d4d4a7be49f336d271189fea37f2589b59e39fa16f9df392ca7fbadb88a102f244f
-
C:\Windows\SysWOW64\240611343.txtFilesize
50KB
MD5a97ae264d4cda16d906cb073f70e442f
SHA1a5e53fcc7cc87033ea383eccd731cf10e6635853
SHA2567e2648ce94ddabb85c6baf95ed763d905ad54745489a8b509fc65b3de64e3b80
SHA51229d6b287764edd3573e9666681e44443037e1dccb85aa9c4658387dd693be9a8828aa66cc2096064cdf5ffff5600c7a0f36097b608f390d831b5c63b020a7969
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/724-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2000-164-0x0000000000400000-0x00000000005D1000-memory.dmpFilesize
1.8MB
-
memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4260-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4856-114-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-111-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-106-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-105-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-104-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-116-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-115-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-110-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-113-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4856-112-0x000001281EC60000-0x000001281EC61000-memory.dmpFilesize
4KB
-
memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4968-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB