cybergate | 14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\temp\\sysgui.exe"	shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\temp\\sysgui.exe"	shell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	shell.exe

Executes dropped EXE 8 IoCs

pid	Process
5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
2556	shell.exe
3456	shell.exe
3380	shell.exe
4500	shell.exe
1780	sysgui.exe
4704	sysgui.exe
4076	sysgui.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Windows\\system32\\temp\\sysgui.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Windows\\system32\\temp\\sysgui.exe Restart"	shell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}	explorer.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4664-134-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5012-141-0x0000000002A00000-0x0000000003A8E000-memory.dmp	upx
behavioral2/memory/5012-151-0x0000000002A00000-0x0000000003A8E000-memory.dmp	upx
behavioral2/memory/4664-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3380-157-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3380-161-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3380-162-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3380-163-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3380-165-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3380-170-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3988-173-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3988-176-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3380-180-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3380-184-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4500-183-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/5012-185-0x0000000031B80000-0x0000000031B8D000-memory.dmp	upx
behavioral2/memory/1068-186-0x0000000031BB0000-0x0000000031BBD000-memory.dmp	upx
behavioral2/memory/5012-187-0x0000000031B80000-0x0000000031B8D000-memory.dmp	upx
behavioral2/memory/4500-189-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3988-188-0x0000000031B90000-0x0000000031B9D000-memory.dmp	upx
behavioral2/memory/5012-194-0x0000000002A00000-0x0000000003A8E000-memory.dmp	upx
behavioral2/memory/1780-196-0x0000000031BD0000-0x0000000031BDD000-memory.dmp	upx
behavioral2/memory/1780-201-0x0000000031BD0000-0x0000000031BDD000-memory.dmp	upx
behavioral2/memory/4704-204-0x0000000031BE0000-0x0000000031BED000-memory.dmp	upx
behavioral2/memory/4704-206-0x0000000031BE0000-0x0000000031BED000-memory.dmp	upx
behavioral2/memory/4076-211-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4076-212-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4076-215-0x0000000031BF0000-0x0000000031BFD000-memory.dmp	upx
behavioral2/memory/4704-214-0x0000000031BE0000-0x0000000031BED000-memory.dmp	upx
behavioral2/memory/4076-216-0x0000000031BF0000-0x0000000031BFD000-memory.dmp	upx
behavioral2/memory/4076-217-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4076-218-0x0000000031BF0000-0x0000000031BFD000-memory.dmp	upx
behavioral2/memory/4076-219-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3988-220-0x0000000031B90000-0x0000000031B9D000-memory.dmp	upx
behavioral2/memory/4500-221-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	shell.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\temp\\sysgui.exe"	shell.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\temp\\sysgui.exe"	shell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Drops autorun.inf file 1 TTPs 48 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\m:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\q:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\s:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\v:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\y:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\m:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\f:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\g:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\i:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\k:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\o:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\p:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\u:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\c:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\w:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\e:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\g:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\i:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\w:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\x:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\d:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\n:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\o:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\t:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\x:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\j:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\e:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\j:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\t:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\c:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\k:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\r:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\z:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\h:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\l:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\l:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\r:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\s:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\v:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\y:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\z:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\d:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\h:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\n:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\p:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\q:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File created	\??\u:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
File opened for modification	\??\f:\autorun.inf	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\temp\sysgui.exe	shell.exe
File opened for modification	C:\Windows\SysWOW64\temp\sysgui.exe	shell.exe
File opened for modification	C:\Windows\SysWOW64\temp\sysgui.exe	shell.exe
File opened for modification	C:\Windows\SysWOW64\temp\	shell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 3456	2556	shell.exe	83
PID 3456 set thread context of 3380	3456	shell.exe	84
PID 1780 set thread context of 4704	1780	sysgui.exe	91
PID 4704 set thread context of 4076	4704	sysgui.exe	92

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	5012	WerFault.exe	81

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	shell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
3380	shell.exe
3380	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4076	sysgui.exe
4076	sysgui.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe
4500	shell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4500	shell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
Token: SeDebugPrivilege	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3380	shell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
2556	shell.exe
3456	shell.exe
1780	sysgui.exe
4704	sysgui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 5012	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	81
PID 4664 wrote to memory of 5012	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	81
PID 4664 wrote to memory of 5012	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	81
PID 4664 wrote to memory of 2556	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	82
PID 4664 wrote to memory of 2556	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	82
PID 4664 wrote to memory of 2556	4664	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe	82
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 2556 wrote to memory of 3456	2556	shell.exe	83
PID 5012 wrote to memory of 780	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	8
PID 5012 wrote to memory of 788	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	9
PID 5012 wrote to memory of 64	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	13
PID 5012 wrote to memory of 2768	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	45
PID 5012 wrote to memory of 2820	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	47
PID 5012 wrote to memory of 2868	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	50
PID 5012 wrote to memory of 684	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	55
PID 5012 wrote to memory of 1708	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	54
PID 5012 wrote to memory of 3268	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	56
PID 5012 wrote to memory of 3368	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	57
PID 5012 wrote to memory of 3432	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	62
PID 5012 wrote to memory of 3524	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	58
PID 5012 wrote to memory of 3684	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	59
PID 5012 wrote to memory of 4644	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	63
PID 5012 wrote to memory of 4664	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	80
PID 5012 wrote to memory of 4664	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	80
PID 5012 wrote to memory of 2556	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	82
PID 5012 wrote to memory of 2556	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	82
PID 5012 wrote to memory of 3456	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	83
PID 5012 wrote to memory of 3456	5012	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe	83
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3456 wrote to memory of 3380	3456	shell.exe	84
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55
PID 3380 wrote to memory of 684	3380	shell.exe	55

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:780
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3268
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3368
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3524
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3684
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4440
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3432
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4644
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3936
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:5044
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1108
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1348
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1948

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2500

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1708

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:684
- C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
  "C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe"
  2⤵
  - Checks computer location settings
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe
    "C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1260
      4⤵
      Program crash
      PID:2168
- - \??\c:\shell.exe
    c:\shell.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - \??\c:\shell.exe
      c:\shell.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3456
    - - \??\c:\shell.exe
        
        "c:\\shell.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Modifies Installed Components in the registry
        
        PID:3988
      - \??\c:\shell.exe
        
        "c:\shell.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4500
        
        C:\Windows\SysWOW64\temp\sysgui.exe
        
        "C:\Windows\system32\temp\sysgui.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\temp\sysgui.exe
        
        C:\Windows\SysWOW64\temp\sysgui.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\temp\sysgui.exe
        
        "C:\Windows\SysWOW64\temp\sysgui.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5012 -ip 5012
  2⤵
  PID:1068

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e2dfceba241a1defd3f32619bdca1be4 TNs/FycA9USibX7uFCYLhw.0.1.0.0.0
1⤵
PID:2380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4860

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery