Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
14/03/2025, 03:48
General
-
Target
2025-03-14_dcc0f16e654cbe417373437fb05deb62_bkransomware_hawkeye.exe
-
Size
456KB
-
MD5
dcc0f16e654cbe417373437fb05deb62
-
SHA1
46de4837ef0d0aa03b3c716bb9a584a98ac6a933
-
SHA256
9347b49512feb6dc1a5a693abfdd37da90f2b9d8cd9f22573f4a5cf7d1283359
-
SHA512
1af5797393899ee38759bb35dc365cd0f6e9ba3ea728574c93f0f3362bdef83be5b58fff8a5e2ed378198cd961f685ae4093043898febf0cfb56d50ced223ea3
-
SSDEEP
6144:zR2N0LGuHjvd1YTss408BomB6ePhrlp49MPOGyf3/09tAF:zRFrYhOPPhrlOwOa
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://45.93.20.18/
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
0xCa90599132C4D88907Bd8E046540284aa468a035
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3ESHude8zUHksQg1h6hHmzY79BS36L91Yn
CSLKveRL2zqkbV2TqiFVuW6twtpqgFajoUZLAJQTTQk2
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
-
mutex
g7774ddg7f3s
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
phorphiex
http://185.215.113.66
http://45.93.20.18
185.215.113.66
Signatures
-
Phorphiex family
-
Phorphiex payload 2 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 20 IoCs
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 18 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 44 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Suspicious use of SetThreadContext 15 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-14_dcc0f16e654cbe417373437fb05deb62_bkransomware_hawkeye.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-14_dcc0f16e654cbe417373437fb05deb62_bkransomware_hawkeye.exe"1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\560F.exe"C:\Users\Admin\AppData\Local\Temp\560F.exe"2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\305012428.exeC:\Users\Admin\AppData\Local\Temp\305012428.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysldpsvc.exeC:\Windows\sysldpsvc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\289846807.exeC:\Users\Admin\AppData\Local\Temp\289846807.exe5⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1250924104.exeC:\Users\Admin\AppData\Local\Temp\1250924104.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1360015469.exeC:\Users\Admin\AppData\Local\Temp\1360015469.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1021429247.exeC:\Users\Admin\AppData\Local\Temp\1021429247.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "SrvcDrvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SrvcDrvcs" /f7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete "SrvcDrvcs"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\SrvcDrvcs" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\122879949.exeC:\Users\Admin\AppData\Local\Temp\122879949.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" ""7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "winsrvcs"9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2255623880.exeC:\Users\Admin\AppData\Local\Temp\2255623880.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinSrvcsDrv" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete "WinSrvcsDrv"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSrvcsDrv" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\246294583.exeC:\Users\Admin\AppData\Local\Temp\246294583.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinDrvUpd" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDrvUpd" /f7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete "WinDrvUpd"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDrvUpd" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2408718102.exeC:\Users\Admin\AppData\Local\Temp\2408718102.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f7⤵
-
C:\Windows\system32\sc.exesc delete "WinUpdt"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2615931573.exeC:\Users\Admin\AppData\Local\Temp\2615931573.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinMngr" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinMngr" /f7⤵
-
C:\Windows\system32\sc.exesc delete "WinMngr"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinMngr" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2277412582.exeC:\Users\Admin\AppData\Local\Temp\2277412582.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f7⤵
-
C:\Windows\system32\sc.exesc delete "WinSvcs"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1125426307.exeC:\Users\Admin\AppData\Local\Temp\1125426307.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"7⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\325027265.exeC:\Users\Admin\AppData\Local\Temp\325027265.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "SrvcDrvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SrvcDrvcs" /f7⤵
-
C:\Windows\system32\sc.exesc delete "SrvcDrvcs"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\SrvcDrvcs" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\442020686.exeC:\Users\Admin\AppData\Local\Temp\442020686.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F7⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Microsoft Windows Security" /F8⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM dwm.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM conhost.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM conhost.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM conhost.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM conhost.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\64931389.exeC:\Users\Admin\AppData\Local\Temp\64931389.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f7⤵
-
C:\Windows\system32\sc.exesc delete "Windows Services"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2774115114.exeC:\Users\Admin\AppData\Local\Temp\2774115114.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc delete "WinUpla" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpla" /f7⤵
-
C:\Windows\system32\sc.exesc delete "WinUpla"8⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpla" /f8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2067422001.exeC:\Users\Admin\AppData\Local\Temp\2067422001.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "MgrDrvSvc"7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "MgrDrvSvc" binpath= "C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe" start= "auto"7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "MgrDrvSvc"7⤵
- Launches sc.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\201024908.exeC:\Users\Admin\AppData\Local\Temp\201024908.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\572220102.exeC:\Users\Admin\AppData\Local\Temp\572220102.exe5⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\301494684.exeC:\Users\Admin\AppData\Local\Temp\301494684.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\660728869.exeC:\Users\Admin\AppData\Local\Temp\660728869.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1862918409.exeC:\Users\Admin\AppData\Local\Temp\1862918409.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1791817459.exeC:\Users\Admin\AppData\Local\Temp\1791817459.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\sysldpsvc.exeC:\Users\Admin\sysldpsvc.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\2394623878.exeC:\Users\Admin\AppData\Local\Temp\2394623878.exe7⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\19508307.exeC:\Users\Admin\AppData\Local\Temp\19508307.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1676033001.exeC:\Users\Admin\AppData\Local\Temp\1676033001.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1506421980.exeC:\Users\Admin\AppData\Local\Temp\1506421980.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exeC:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"C:\ProgramData\MgrDrvSvc\sysdoruhgsf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dwm.exedwm.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\dwm.exedwm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Persistence
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
12KB
MD555934780252796549580f7ed5463fa35
SHA1134bdb811ce320a3951d4ccc2797f4f27b255f22
SHA2562b365b4073c7ef450623ce9b0d9d3349b07a56525db6e4134739481b54b1fcf7
SHA51200cf6cb540f9299e733fe70cc6df106e40d9982d5ccb9a46bb35d74772c910f8a26e37a424acfe2a988d990db6ddf50616b7612fe10c85c5919b2e4d0569e786
-
Filesize
8KB
MD5c44040574183a3e141f2afee1a427b7d
SHA1f77780ddec6f3a4f9adf95cf641fae123b076723
SHA2566c1a7c919dfa3dfbcaf6eec780f9114ca688fcf8751886b57a64d816e3ff52e9
SHA5124a639e2e1e931a8ace54a38f4be0293a5fc8a480a980f0541fbdf3146064e61fe19b2a9c067c50f1211a7ed20a9a8ce389181163d0408982a904fe94de4a4f6d
-
Filesize
28KB
MD502320b5a9ffb3aa91fc2fe0f0906c575
SHA15209092f99ed5f1e2fd50e8d57b639160440b76d
SHA25603349521a6994d528817f755d1d6c4ee74cda6cc6036525b911a06f8cc7707c9
SHA5127addb20d4edb8678c6bc02654d841a5401408e8dc07cb5e3df9eee96feb9d480fcf343578ef3c1774724e3ec29e947a4191bbe5af5c4cebc076b92b427c68353
-
Filesize
50KB
MD564d97ceac5d0fbb39f316eb8707c5af4
SHA13114d530f716e3dc9e07d78703e0ad34256b8e1c
SHA2563cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9
SHA51219a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb
-
Filesize
53KB
MD560686a27b79838583920c9a0954104c9
SHA10c253b3c72cd5b01a9403230ff3ec9d3cdd8b71c
SHA256270149da5feb9487799083b5e76d41d3aa69afaf8f731e72e7d64c3a7c070c7e
SHA512c0a9308b5a3baca0906c9663ca3e3eaf64fc131aaa5358557874b30e4b743ffe898da6fbace032c3481693bf9081f938127fd07c8d550d9eb74958b20e24ab04
-
Filesize
20KB
MD52e5f10745392643c8cf21aae4241e4cc
SHA1ad390d62e2215a37a3faf5e0cb3f0f3244452c07
SHA25644db578a4075ab126df387da3fa757f76bd3074606f3a9be21ee55ec6ac1ed29
SHA51285e63e752fc43d4b2be83628f5f8dcb288276c5369a3e940f795e87409f70473221d2d28a87f04e68c126bc0836171310d00247f240e05f4618e1f9393b132af
-
Filesize
12KB
MD50d2e3b221afdfd27afb04a73f9d79030
SHA1ee87be2e1f6d4b1ff83f31d06d68e10c2f195691
SHA256b1e61a67388182131302be4e5f75843993724657cb6fa506b075b4795073f565
SHA5124935f9ca3669c1db456f81d6e4d82a969ff04aed3b64ee3d9471da787f537b9356559c49242878a3e0fb3964a1235b2049943e6bb147a637da27f86855cc2708
-
Filesize
2.5MB
MD5024dd77c38676e6ce0a5a2201f6145de
SHA15d020adf1adb0b0c0b370df63b2b09d89df0acfb
SHA256b4553ff5d7ae98614d4856de134f49e503f046a15fc49033af3232fbeab9ed4c
SHA512a94312eaea187830c28680164d80e3e9c2f58a7b24930dc224ac52a308406ccfd56524dffaf5c3a37e6b713d1d711f1b44d99d1fb60669c8b2351bb4c9d2fc85
-
Filesize
8KB
MD538c5ce383f70dc49175cc5843f017ff9
SHA14c3ae746f22a1de56b4e1a6d26b7353f39f1cdfd
SHA256c69a0f757d1ac585078fe3fecb4a4a925b55f412904f581cdbcfcfa72292ada3
SHA5123f418ac147d4d3acfd5830cd1085b6e87afaf02497332780eb9126bb71d35eedc6ca695ef534bcba3a220f6a3960b80d3b778787e8506bad029fb41bdbc99688
-
Filesize
28KB
MD5354b172c63f7693310212e3eba68e4ba
SHA1843cec7cf78015f5b226d439f046c9a42064cfe2
SHA256f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00
SHA512e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460
-
Filesize
8KB
MD59f3b28cd269f23eb326c849cb6d8ed3d
SHA1db2cab47fffa3770f19c7f16b1c7807da17ac9fd
SHA25690164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81
SHA512ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a
-
Filesize
8KB
MD55e24b9457135b737012cde5e30cf124b
SHA158575839926a1e6ae798867bbba0ed4db088d85e
SHA256d3a4c4f0557019d5fe04b57486e9ed0b9c823e9d1d137138feab200e96dd9abf
SHA5127192d902a9f1a51ea34291bdcb2fc09e802148f7cc415e498c67414ef2377c796b93f11dcd6b08968ea9fa6a99b7516c9bdd297ee4cab906949d41d3cebce1ec
-
Filesize
28KB
MD58f1f692c2e839e6f821e42057f8b1c01
SHA154ab2dec09e3b76114aaab1cc32c6ba5b4c2f7c8
SHA2568f3c4a66f4c66b34d7d79fbcccb03b81d0139a279789981c16de5e66e6678cb5
SHA5121296065ba17657e3ad1fe88c58b9d36f3def89e8bd44893d10d42a5ba5d0c8a2e5a0da23d46ca2d0b5a88dc2b4b9716d38b6e926c1f7f66a66808310c80fcf4d
-
Filesize
8KB
MD59e1aafb6d1c75d75f7e1a8e135f9c508
SHA1745cd643e657281c0c198d895d1daf53dcba29ba
SHA25641307ffc2c8273962750cec20533c2c043d8456379885e82151c843af3d31615
SHA512b97b10881ab4ec24bf5d615169932ed6cd09661c21f1ba631cbbef146ff81bdf9ee61ed1b85f76fdb602ccc553a0a98c8189967a515d729c42b4ac04e44cdefd
-
Filesize
15KB
MD53936a04c96788a4ecb004418523ac7aa
SHA1b1833693b76a582de8bcb7122b7e6120238b5aa0
SHA256a7624e78ff8c83c9724b7dbaebe8ad03b4d83f0b58a172d739b1ce2542186bcd
SHA5122c53b37f2c1208e027c2f5cdf22b2f26c5be13c986881a25da0e8372a865b24d32c46ca57ba243174ea3eb99fb4140f850365464815f0968479821661690be93
-
Filesize
78KB
MD5c6eb7e6bf6099b9717344e2138b93e43
SHA1991ed21cdf93ecd52b4dcbcf0d770dc2878366a3
SHA256abcd10949a438a7c9d6096d48cfc0fb30d45dffed4b9dd616ac1b51d9783509a
SHA512310d45c36f399a328ddf7aef94b0b48aaae8544e7db90927300a4e4a7393b424533aa73f121a5e45f9cfe4c750682fd37621ed1073fce28a3d8f94956fc60a36
-
Filesize
9KB
MD59e1f23d4c920f2a9795a5e5fe4c60ad1
SHA1cccd5690d19b0819b806c86867e7685e962f341f
SHA2568f614c53cef81d2d481ac230f6fbf5f72f3e43cc8787e06f9a935d7bb19da034
SHA5125edcb6a6049f6d12a78c164f39cf27a32e0ac65cf698629e87da273a5049bf593ca9956e1cdedf91583d5050b2eef8564ce16d4bdf4f40c6fc3fe2731f9ebc2f
-
Filesize
10KB
MD54c52cf849be8954638925c242e0cc976
SHA1949ba0061ea9dbe3b9059bb2a7b20caa74861280
SHA256fa6fcf2e154c0b18b12ab86267ccd38d79cc9c27e7e261a7e9201a0a9dd9d0bb
SHA512c11572dcd274bdcb5e94cf38ec36aa65e4d5605df250ee8887cd5098b044e3e2e71be3b3292118b967e27bc752b5cf5d9c8da5ac2834b7c156302c307abe123b
-
Filesize
15KB
MD5dbf9bb541cd5d0ea870a6f6bc357994e
SHA1282283321a0d28ce7e996cab280bde0dce39f8fb
SHA2561bb61f69683793160a1d19c87430c672121a039454600d3c2af9e0022e3b3304
SHA51245ac95c9d01c1946208cf30abbdc90d6c411338c83cfb0bf9099ff7e8a670d2d147329122b7a4f043fcc18b791c4887cbb5e591f9b6c6645178840918150efa6
-
Filesize
28KB
MD5b1c1d77e69753d822893438b35b2e7cc
SHA11573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0
SHA256f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8
SHA512dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca
-
Filesize
78KB
MD58ea6f47ad5ef7cf3b7c0a0bd36ebdfec
SHA1fbad9df9bbb78506d15cba49109af6bffbb9eab6
SHA25699e387fcfdefede00e1a88120df1b45076d0ee05db1f337afb123336eedd4fd0
SHA512ee6fd000166262e1dcef635fb1cca89bd71e00e9cfd4631bf61132848fd5ce6dc6acbf4ab066083f5cb64d733b739542cca295bb6772f19db79b593b455395f2
-
Filesize
4KB
MD526c4be66116a40ae59b9e65c07b412df
SHA132794a135b84d8a45a89e0cc677b522090947c0f
SHA25640135d85fed73029e872c3bcb669fbeb9170a70084d8e158fd42cc23b73af19a
SHA512a73516e946621f0ab19b7eeee12760a30c5b57607c167b876fcb359cf313e7d1bb0e6fb206242b13dd7af3aee91ea63cebdb7d5660fd6187eee77f033d3b8f51
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
24KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
24KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB