Informational
Process Information
- File Name
MegaGenerator.exe- File Path
\Device\HarddiskVolume3\app\cortex-xdr-siem-test\xdr_tools\MegaGenerator\bin\publish\MegaGenerator.exe- Command Line
-
"C:\app\cortex-xdr-siem-test\xdr_tools\MegaGenerator\bin\publish\MegaGenerator.exe" --once --scenarios 15 - Process ID
35431722436- Parent PID
35427299912- SHA256
-
e11e17aa538668963d62d7ba8fcb3e705b437f4a8e3e3333c2afc0c3552b2edfVT - MD5
6d109a3a00f210c1ab89c3b08399ed48- Disposition
-
0
Detection, standard detection.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 158152,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358953000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358662,
"ProcessEndTime": 0,
"ProcessId": 35431722436,
"ParentProcessId": 35427299912,
"Hostname": "TEAHEE",
"UserName": "dokji",
"Name": "Known Malware",
"Description": "A process has written a known EICAR test file. Review the files written by the triggered process.",
"Severity": 10,
"SeverityName": "Informational",
"FileName": "MegaGenerator.exe",
"FilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe",
"CommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe\u0022 --once --scenarios 15 ",
"SHA256String": "e11e17aa538668963d62d7ba8fcb3e705b437f4a8e3e3333c2afc0c3552b2edf",
"MD5String": "6d109a3a00f210c1ab89c3b08399ed48",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "TEAHEE",
"FilesAccessed": [
{
"Timestamp": 1766358694,
"FileName": "MegaGenerator.pdb",
"FilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish"
}
],
"FilesWritten": [
{
"Timestamp": 1766358677,
"FileName": "backdoor.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "virus.bat",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "shellcode-runner.ps1",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "rootkit.sys",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "downloader.hta",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "keylogger.vbs",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "malware.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "trojan.scr",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "ransomware.dll",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
},
{
"Timestamp": 1766358677,
"FileName": "eicar.com",
"FilePath": "\\Device\\HarddiskVolume3\\Users\\dokji\\AppData\\Local\\Temp\\xdr_mega_7956"
}
],
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35431722436-10418-11372048?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "47186ef241ea495885522e5d4930eda3",
"DnsRequests": [
{
"DomainName": "malware.test.local",
"RequestType": "AAAA",
"LoadTime": 1766358682,
"InterfaceIndex": 0
},
{
"DomainName": "evil-c2.example.com",
"RequestType": "AAAA",
"LoadTime": 1766358682,
"InterfaceIndex": 0
},
{
"DomainName": "beacon.attacker.net",
"RequestType": "AAAA",
"LoadTime": 1766358682,
"InterfaceIndex": 0
},
{
"DomainName": "exfil.data.io",
"RequestType": "AAAA",
"LoadTime": 1766358682,
"InterfaceIndex": 0
}
],
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35431722436-10418-11372048",
"LocalIP": "172.27.1.26",
"MACAddress": "e8-84-a5-3f-53-7c",
"Tactic": "Execution",
"Technique": "User Execution",
"Objective": "Follow Through",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionValue": 0,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": false,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"ParentImageFileName": "cmd.exe",
"ParentCommandLine": "C:\\WINDOWS\\SYSTEM32\\cmd.exe /c \u0022\u0022C:\\app\\cortex-xdr-siem-test\\xdr_mega_runner.bat\u0022\u0022",
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"PatternId": 10418,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:47186ef241ea495885522e5d4930eda3:9262541600",
"Type": "ldt",
"ParentImageFilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Execution",
"TacticID": "TA0002",
"Technique": "User Execution",
"TechniqueID": "T1204",
"PatternID": 10418
}
],
"CloudIndicator": false,
"RiskScore": 10
}
}