Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 12:00
Static task
static1
Behavioral task
behavioral1
Sample
f698907930b94c87561d60489771156a.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
General
-
Target
f698907930b94c87561d60489771156a.exe
-
Size
280KB
-
MD5
f698907930b94c87561d60489771156a
-
SHA1
5fa9274ae805bedcb365c358657ccc7a83421667
-
SHA256
8939aaaffd23ba854e0a0ce06442df1076b7629f68cc92f712d464ecdadd6a1d
-
SHA512
1cef4d44e55b5627ca9ce5b732284c3a70eb8c7c60df7b590032b7a8db03733ef0c26a6457fc73d7fbab95cdde164ad506fdc945c27d746bb046338217732e5f
-
SSDEEP
6144:pyH7xOc6H5c6HcT66vlmkAOZUFfg5ZVsCM9yZVnQpLuNEbLc0UY9N31ya:paqO65gBhuyZVnQpWEbyY9Nf
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f698907930b94c87561d60489771156a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe -
Executes dropped EXE 64 IoCs
pid Process 3152 svchost.exe 4912 f698907930b94c87561d60489771156a.exe 4964 svchost.exe 1444 svchost.exe 3588 f698907930b94c87561d60489771156a.exe 3568 svchost.exe 4128 f698907930b94c87561d60489771156a.exe 4196 svchost.exe 5016 f698907930b94c87561d60489771156a.exe 3692 svchost.exe 4180 f698907930b94c87561d60489771156a.exe 720 svchost.exe 4812 f698907930b94c87561d60489771156a.exe 1404 svchost.exe 3996 f698907930b94c87561d60489771156a.exe 376 svchost.exe 3708 f698907930b94c87561d60489771156a.exe 2364 svchost.exe 2452 f698907930b94c87561d60489771156a.exe 1520 svchost.exe 1712 f698907930b94c87561d60489771156a.exe 1292 svchost.exe 4732 f698907930b94c87561d60489771156a.exe 4280 svchost.exe 3244 f698907930b94c87561d60489771156a.exe 4952 svchost.exe 3960 f698907930b94c87561d60489771156a.exe 4104 svchost.exe 4500 f698907930b94c87561d60489771156a.exe 3932 svchost.exe 4928 f698907930b94c87561d60489771156a.exe 4948 svchost.exe 3108 f698907930b94c87561d60489771156a.exe 640 svchost.exe 2088 f698907930b94c87561d60489771156a.exe 5016 svchost.exe 1432 f698907930b94c87561d60489771156a.exe 316 svchost.exe 484 f698907930b94c87561d60489771156a.exe 4804 svchost.exe 1856 f698907930b94c87561d60489771156a.exe 1540 svchost.exe 4844 f698907930b94c87561d60489771156a.exe 1248 svchost.exe 4148 f698907930b94c87561d60489771156a.exe 4564 svchost.exe 4200 f698907930b94c87561d60489771156a.exe 4304 svchost.exe 4464 f698907930b94c87561d60489771156a.exe 3180 svchost.exe 1748 f698907930b94c87561d60489771156a.exe 3244 svchost.exe 540 f698907930b94c87561d60489771156a.exe 3960 svchost.exe 4068 f698907930b94c87561d60489771156a.exe 1988 svchost.exe 3392 f698907930b94c87561d60489771156a.exe 3688 svchost.exe 4912 f698907930b94c87561d60489771156a.exe 1444 svchost.exe 3568 f698907930b94c87561d60489771156a.exe 4992 svchost.exe 4936 f698907930b94c87561d60489771156a.exe 2996 svchost.exe -
resource yara_rule behavioral2/memory/1500-132-0x0000000008730000-0x00000000097EA000-memory.dmp upx behavioral2/memory/4912-139-0x0000000008650000-0x000000000970A000-memory.dmp upx behavioral2/memory/3588-146-0x0000000008630000-0x00000000096EA000-memory.dmp upx behavioral2/memory/4128-157-0x0000000008750000-0x000000000980A000-memory.dmp upx behavioral2/memory/5016-160-0x00000000085F0000-0x00000000096AA000-memory.dmp upx behavioral2/memory/4180-167-0x0000000008800000-0x00000000098BA000-memory.dmp upx behavioral2/memory/4180-170-0x0000000008800000-0x00000000098BA000-memory.dmp upx behavioral2/memory/4812-174-0x0000000008840000-0x00000000098FA000-memory.dmp upx behavioral2/memory/3708-186-0x0000000008850000-0x000000000990A000-memory.dmp upx behavioral2/memory/2452-192-0x00000000086C0000-0x000000000977A000-memory.dmp upx behavioral2/memory/1712-198-0x0000000008600000-0x00000000096BA000-memory.dmp upx behavioral2/memory/3244-211-0x00000000087B0000-0x000000000986A000-memory.dmp upx behavioral2/memory/3960-218-0x0000000008700000-0x00000000097BA000-memory.dmp upx behavioral2/memory/4500-230-0x0000000008700000-0x00000000097BA000-memory.dmp upx behavioral2/memory/4928-233-0x00000000086F0000-0x00000000097AA000-memory.dmp upx behavioral2/memory/4128-237-0x0000000008750000-0x000000000980A000-memory.dmp upx behavioral2/memory/2088-246-0x00000000086D0000-0x000000000978A000-memory.dmp upx behavioral2/memory/1432-252-0x0000000008670000-0x000000000972A000-memory.dmp upx behavioral2/memory/484-260-0x00000000087E0000-0x000000000989A000-memory.dmp upx behavioral2/memory/1856-266-0x0000000008620000-0x00000000096DA000-memory.dmp upx behavioral2/memory/4844-273-0x0000000008880000-0x000000000993A000-memory.dmp upx behavioral2/memory/4844-277-0x0000000008880000-0x000000000993A000-memory.dmp upx behavioral2/memory/4464-292-0x00000000087D0000-0x000000000988A000-memory.dmp upx behavioral2/memory/1748-298-0x0000000008720000-0x00000000097DA000-memory.dmp upx behavioral2/memory/3392-317-0x00000000086E0000-0x000000000979A000-memory.dmp upx behavioral2/memory/3568-329-0x00000000088A0000-0x000000000995A000-memory.dmp upx behavioral2/memory/2460-342-0x0000000008780000-0x000000000983A000-memory.dmp upx behavioral2/memory/484-350-0x0000000008870000-0x000000000992A000-memory.dmp upx behavioral2/memory/924-352-0x0000000008770000-0x000000000982A000-memory.dmp upx behavioral2/memory/116-355-0x0000000008760000-0x000000000981A000-memory.dmp upx behavioral2/memory/116-357-0x0000000008760000-0x000000000981A000-memory.dmp upx behavioral2/memory/5052-360-0x0000000008820000-0x00000000098DA000-memory.dmp upx behavioral2/memory/1880-368-0x00000000087F0000-0x00000000098AA000-memory.dmp upx behavioral2/memory/2672-370-0x00000000088C0000-0x000000000997A000-memory.dmp upx behavioral2/memory/2648-372-0x00000000086B0000-0x000000000976A000-memory.dmp upx behavioral2/memory/1748-374-0x0000000008830000-0x00000000098EA000-memory.dmp upx behavioral2/memory/3096-385-0x00000000087A0000-0x000000000985A000-memory.dmp upx behavioral2/memory/5060-387-0x00000000088E0000-0x000000000999A000-memory.dmp upx behavioral2/memory/5056-394-0x0000000008790000-0x000000000984A000-memory.dmp upx behavioral2/memory/2404-402-0x00000000089D0000-0x0000000009A8A000-memory.dmp upx behavioral2/memory/1296-404-0x0000000008610000-0x00000000096CA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f698907930b94c87561d60489771156a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f698907930b94c87561d60489771156a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe -
Drops file in Program Files directory 38 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\e56d41d f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe File created C:\Windows\svchost.exe f698907930b94c87561d60489771156a.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4180 f698907930b94c87561d60489771156a.exe 4180 f698907930b94c87561d60489771156a.exe 4500 f698907930b94c87561d60489771156a.exe 4500 f698907930b94c87561d60489771156a.exe 4844 f698907930b94c87561d60489771156a.exe 4844 f698907930b94c87561d60489771156a.exe 116 f698907930b94c87561d60489771156a.exe 116 f698907930b94c87561d60489771156a.exe 3412 f698907930b94c87561d60489771156a.exe 3412 f698907930b94c87561d60489771156a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4180 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4180 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4180 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4180 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4500 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe Token: SeDebugPrivilege 4844 f698907930b94c87561d60489771156a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 3152 1500 f698907930b94c87561d60489771156a.exe 83 PID 1500 wrote to memory of 3152 1500 f698907930b94c87561d60489771156a.exe 83 PID 1500 wrote to memory of 3152 1500 f698907930b94c87561d60489771156a.exe 83 PID 3152 wrote to memory of 4912 3152 svchost.exe 84 PID 3152 wrote to memory of 4912 3152 svchost.exe 84 PID 3152 wrote to memory of 4912 3152 svchost.exe 84 PID 4912 wrote to memory of 1444 4912 f698907930b94c87561d60489771156a.exe 85 PID 4912 wrote to memory of 1444 4912 f698907930b94c87561d60489771156a.exe 85 PID 4912 wrote to memory of 1444 4912 f698907930b94c87561d60489771156a.exe 85 PID 1444 wrote to memory of 3588 1444 svchost.exe 88 PID 1444 wrote to memory of 3588 1444 svchost.exe 88 PID 1444 wrote to memory of 3588 1444 svchost.exe 88 PID 3588 wrote to memory of 3568 3588 f698907930b94c87561d60489771156a.exe 90 PID 3588 wrote to memory of 3568 3588 f698907930b94c87561d60489771156a.exe 90 PID 3588 wrote to memory of 3568 3588 f698907930b94c87561d60489771156a.exe 90 PID 3568 wrote to memory of 4128 3568 svchost.exe 91 PID 3568 wrote to memory of 4128 3568 svchost.exe 91 PID 3568 wrote to memory of 4128 3568 svchost.exe 91 PID 4128 wrote to memory of 4196 4128 f698907930b94c87561d60489771156a.exe 92 PID 4128 wrote to memory of 4196 4128 f698907930b94c87561d60489771156a.exe 92 PID 4128 wrote to memory of 4196 4128 f698907930b94c87561d60489771156a.exe 92 PID 4196 wrote to memory of 5016 4196 svchost.exe 93 PID 4196 wrote to memory of 5016 4196 svchost.exe 93 PID 4196 wrote to memory of 5016 4196 svchost.exe 93 PID 5016 wrote to memory of 3692 5016 f698907930b94c87561d60489771156a.exe 94 PID 5016 wrote to memory of 3692 5016 f698907930b94c87561d60489771156a.exe 94 PID 5016 wrote to memory of 3692 5016 f698907930b94c87561d60489771156a.exe 94 PID 3692 wrote to memory of 4180 3692 svchost.exe 95 PID 3692 wrote to memory of 4180 3692 svchost.exe 95 PID 3692 wrote to memory of 4180 3692 svchost.exe 95 PID 4180 wrote to memory of 720 4180 f698907930b94c87561d60489771156a.exe 96 PID 4180 wrote to memory of 720 4180 f698907930b94c87561d60489771156a.exe 96 PID 4180 wrote to memory of 720 4180 f698907930b94c87561d60489771156a.exe 96 PID 720 wrote to memory of 4812 720 svchost.exe 97 PID 720 wrote to memory of 4812 720 svchost.exe 97 PID 720 wrote to memory of 4812 720 svchost.exe 97 PID 4812 wrote to memory of 1404 4812 f698907930b94c87561d60489771156a.exe 98 PID 4812 wrote to memory of 1404 4812 f698907930b94c87561d60489771156a.exe 98 PID 4812 wrote to memory of 1404 4812 f698907930b94c87561d60489771156a.exe 98 PID 1404 wrote to memory of 3996 1404 svchost.exe 102 PID 1404 wrote to memory of 3996 1404 svchost.exe 102 PID 1404 wrote to memory of 3996 1404 svchost.exe 102 PID 3996 wrote to memory of 376 3996 f698907930b94c87561d60489771156a.exe 103 PID 3996 wrote to memory of 376 3996 f698907930b94c87561d60489771156a.exe 103 PID 3996 wrote to memory of 376 3996 f698907930b94c87561d60489771156a.exe 103 PID 376 wrote to memory of 3708 376 svchost.exe 106 PID 376 wrote to memory of 3708 376 svchost.exe 106 PID 376 wrote to memory of 3708 376 svchost.exe 106 PID 3708 wrote to memory of 2364 3708 f698907930b94c87561d60489771156a.exe 108 PID 3708 wrote to memory of 2364 3708 f698907930b94c87561d60489771156a.exe 108 PID 3708 wrote to memory of 2364 3708 f698907930b94c87561d60489771156a.exe 108 PID 2364 wrote to memory of 2452 2364 svchost.exe 110 PID 2364 wrote to memory of 2452 2364 svchost.exe 110 PID 2364 wrote to memory of 2452 2364 svchost.exe 110 PID 2452 wrote to memory of 1520 2452 f698907930b94c87561d60489771156a.exe 111 PID 2452 wrote to memory of 1520 2452 f698907930b94c87561d60489771156a.exe 111 PID 2452 wrote to memory of 1520 2452 f698907930b94c87561d60489771156a.exe 111 PID 1520 wrote to memory of 1712 1520 svchost.exe 112 PID 1520 wrote to memory of 1712 1520 svchost.exe 112 PID 1520 wrote to memory of 1712 1520 svchost.exe 112 PID 1712 wrote to memory of 1292 1712 f698907930b94c87561d60489771156a.exe 113 PID 1712 wrote to memory of 1292 1712 f698907930b94c87561d60489771156a.exe 113 PID 1712 wrote to memory of 1292 1712 f698907930b94c87561d60489771156a.exe 113 PID 1292 wrote to memory of 4732 1292 svchost.exe 114 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f698907930b94c87561d60489771156a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2300
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3776
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:4228
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3580
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3436
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3376
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2796
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"12⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4180 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"24⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"25⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"26⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"27⤵
- Executes dropped EXE
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"28⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"29⤵
- Executes dropped EXE
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"30⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4500 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"31⤵
- Executes dropped EXE
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"32⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"33⤵
- Executes dropped EXE
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3108 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"35⤵
- Executes dropped EXE
PID:640 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"36⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"37⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"38⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"39⤵
- Executes dropped EXE
PID:316 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"40⤵
- Executes dropped EXE
PID:484 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"41⤵
- Executes dropped EXE
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"42⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"43⤵
- Executes dropped EXE
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"44⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4844 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"45⤵
- Executes dropped EXE
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"46⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"47⤵
- Executes dropped EXE
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"48⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"49⤵
- Executes dropped EXE
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"50⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"51⤵
- Executes dropped EXE
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"52⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"53⤵
- Executes dropped EXE
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"54⤵
- Executes dropped EXE
PID:540 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"55⤵
- Executes dropped EXE
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4068 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"57⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"58⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"59⤵
- Executes dropped EXE
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"60⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"61⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"62⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"63⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"64⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"65⤵
- Executes dropped EXE
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"66⤵PID:444
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"67⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"68⤵PID:3908
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"69⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"70⤵PID:2460
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"71⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"72⤵PID:4320
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"73⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"74⤵PID:212
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"75⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"76⤵
- Drops file in Windows directory
PID:3036 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"77⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"78⤵PID:484
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"79⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"80⤵PID:924
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"81⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"82⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:116 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"83⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"84⤵PID:4204
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"85⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"86⤵PID:5052
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"87⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"88⤵
- Drops file in Windows directory
PID:2016 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"89⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"90⤵PID:4060
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"91⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"92⤵PID:4140
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"93⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"94⤵PID:1880
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"95⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"96⤵
- Drops file in Windows directory
PID:2672 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"97⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"98⤵
- Drops file in Windows directory
PID:2648 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"99⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"100⤵PID:1748
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"101⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"102⤵
- Drops file in Windows directory
PID:2220 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"103⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"104⤵PID:4900
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"105⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"106⤵PID:4376
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"107⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"108⤵PID:1144
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"109⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"110⤵
- Drops file in Windows directory
PID:3096 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"111⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"112⤵PID:5060
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"113⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"114⤵PID:5024
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"115⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"116⤵PID:4928
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"117⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"118⤵PID:5056
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"119⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"120⤵PID:4796
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f698907930b94c87561d60489771156a.exe"121⤵PID:4936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-