sality | 99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356

Modify Existing Service

T1031

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Executes dropped EXE 2 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

pid	process
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/620-67-0x0000000002590000-0x000000000361E000-memory.dmp	upx
behavioral1/memory/620-72-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/620-74-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/620-76-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1956-78-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/620-79-0x0000000002590000-0x000000000361E000-memory.dmp	upx
behavioral1/memory/892-80-0x0000000000300000-0x000000000036C000-memory.dmp	upx
behavioral1/memory/892-82-0x000000002A9A0000-0x000000002BA2E000-memory.dmp	upx
behavioral1/memory/892-84-0x000000002A9A0000-0x000000002BA2E000-memory.dmp	upx
behavioral1/memory/892-87-0x000000002A9A0000-0x000000002BA2E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

pid	process
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
File opened (read-only)	\??\J:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\N:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\V:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\G:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\M:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\S:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\Z:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\P:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\T:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\U:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\E:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\F:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\H:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\I:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\L:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\X:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\Y:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\K:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\O:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\Q:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\R:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened (read-only)	\??\W:	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description ioc process

File opened for modification C:\autorun.inf 99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
File opened for modification	C:\autorun.inf	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Drops file in Program Files directory 64 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\89.0.4389.114\INSTALLER\chrmstp.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\idlj.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jdb.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\policytool.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\javah.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\java.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ssvagent.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\javaws.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\klist.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\89.0.4389.114\chrome_pwa_launcher.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jar.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\native2ascii.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\orbd.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\javaw.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\kinit.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\keytool.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOInstaller.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\89.0.4389.114\elevation_service.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jps.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\LIB\VISUALVM\PLATFORM\LIB\nbexec.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\javadoc.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\javaw.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\chrome.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\java-rmi.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\policytool.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\servertool.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\LIB\VISUALVM\PLATFORM\LIB\nbexec64.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\klist.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\unpack200.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\jp2launcher.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\LIB\launcher.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\89.0.4389.114\INSTALLER\setup.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jmc.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\klist.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICESOFTWAREPROTECTIONPLATFORM\OSPPSVC.EXE	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jabswitch.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\policytool.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\wsimport.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\rmid.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\javacpl.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\jp2launcher.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\orbd.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\89.0.4389.114\notification_helper.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\javafxpackager.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\xjc.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ktab.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\unpack200.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jvisualvm.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\tnameserv.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\javaw.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\jabswitch.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\extcheck.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\pack200.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\javacpl.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\kinit.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE14\MSOXMLED.EXE	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\appletviewer.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jmap.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\apt.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jinfo.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Drops file in Windows directory 6 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

description	ioc	process
File created	C:\Windows\Wplugin.dll	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\Windows\Wplugin.dll	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File created	C:\Windows\explorer.exe.local	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File created	C:\Windows\ws2help.dll	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\Windows\ws2help.dll	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
File opened for modification	C:\Windows\SYSTEM.INI	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21EBF3D1-E479-11EC-9006-52E0D673F3E2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "361161928"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

pid	process
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1952 iexplore.exe

pid	process
1952	iexplore.exe

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

pid	process
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Token: SeTakeOwnershipPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeRestorePrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeBackupPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeChangeNotifyPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeTakeOwnershipPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeRestorePrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeBackupPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeChangeNotifyPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeTakeOwnershipPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeRestorePrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeBackupPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeChangeNotifyPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
Token: SeDebugPrivilege	1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1952 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1952 iexplore.exe
1952 iexplore.exe
2176 IEXPLORE.EXE
2176 IEXPLORE.EXE
2176 IEXPLORE.EXE
2176 IEXPLORE.EXE

pid	process
1952	iexplore.exe

pid	process
1952	iexplore.exe
1952	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

pid	process
620	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
1956	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe

description	pid	process	target process
PID 892 wrote to memory of 620	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
PID 892 wrote to memory of 620	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
PID 892 wrote to memory of 620	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
PID 892 wrote to memory of 620	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 360	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	wininit.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 384	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	csrss.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 420	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	winlogon.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 468	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	services.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 476	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsass.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 484	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	lsm.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 592	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 668	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 752	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 752	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 752	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe
PID 892 wrote to memory of 752	892	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:752

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1232

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:532

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:2120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
3⤵
PID:3964

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1664

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe
"C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892

C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgr.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- System policy modification
PID:620

C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
C:\Users\Admin\AppData\Local\Temp\99dd8186e3424ce6aa19ef2251a463f2c271f83919ac67adc288a68e6bcbf356mgrmgr.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry