sality | a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4376	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1052-132-0x0000000002250000-0x0000000003283000-memory.dmp	upx
behavioral2/memory/1052-135-0x0000000002250000-0x0000000003283000-memory.dmp	upx
behavioral2/memory/1052-136-0x0000000002250000-0x0000000003283000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ = "IxpEmphszr"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.escrtSrvc\CLSID	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\TypeLib\ = "{AD25754E-D76C-42B3-A335-2F81478B722F}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ = "IEHostWnd"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ = "Ixtrnlmain"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ = "IwebAtrbts"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.escrtSrvc\CurVer\ = "esrv.escrtSrvc.1"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}\1.0\FLAGS\ = "0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ = "IIEWndFct"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\ = "IReporter"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\TypeLib	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}\TypeLib\Version = "1.0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\ProxyStubClsid32	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\TypeLib\ = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.escrtSrvc\CurVer	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
Token: SeDebugPrivilege	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	78
PID 1052 wrote to memory of 4376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	78
PID 1052 wrote to memory of 4376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	78
PID 1052 wrote to memory of 776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	8
PID 1052 wrote to memory of 784	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	75
PID 1052 wrote to memory of 64	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	9
PID 1052 wrote to memory of 2268	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	23
PID 1052 wrote to memory of 2300	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	22
PID 1052 wrote to memory of 2440	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	21
PID 1052 wrote to memory of 3056	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	59
PID 1052 wrote to memory of 2796	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	38
PID 1052 wrote to memory of 3276	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	58
PID 1052 wrote to memory of 3376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	57
PID 1052 wrote to memory of 3436	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	39
PID 1052 wrote to memory of 3580	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	56
PID 1052 wrote to memory of 3840	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	41
PID 1052 wrote to memory of 4776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	54
PID 1052 wrote to memory of 4012	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	46
PID 1052 wrote to memory of 4212	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	77
PID 1052 wrote to memory of 4376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	78
PID 1052 wrote to memory of 4376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	78
PID 1052 wrote to memory of 1620	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	79
PID 1052 wrote to memory of 776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	8
PID 1052 wrote to memory of 784	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	75
PID 1052 wrote to memory of 64	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	9
PID 1052 wrote to memory of 2268	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	23
PID 1052 wrote to memory of 2300	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	22
PID 1052 wrote to memory of 2440	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	21
PID 1052 wrote to memory of 3056	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	59
PID 1052 wrote to memory of 2796	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	38
PID 1052 wrote to memory of 3276	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	58
PID 1052 wrote to memory of 3376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	57
PID 1052 wrote to memory of 3436	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	39
PID 1052 wrote to memory of 3580	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	56
PID 1052 wrote to memory of 3840	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	41
PID 1052 wrote to memory of 4776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	54
PID 1052 wrote to memory of 4212	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	77
PID 1052 wrote to memory of 776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	8
PID 1052 wrote to memory of 784	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	75
PID 1052 wrote to memory of 64	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	9
PID 1052 wrote to memory of 2268	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	23
PID 1052 wrote to memory of 2300	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	22
PID 1052 wrote to memory of 2440	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	21
PID 1052 wrote to memory of 3056	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	59
PID 1052 wrote to memory of 2796	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	38
PID 1052 wrote to memory of 3276	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	58
PID 1052 wrote to memory of 3376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	57
PID 1052 wrote to memory of 3436	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	39
PID 1052 wrote to memory of 3580	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	56
PID 1052 wrote to memory of 3840	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	41
PID 1052 wrote to memory of 4776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	54
PID 1052 wrote to memory of 4212	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	77
PID 1052 wrote to memory of 776	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	8
PID 1052 wrote to memory of 784	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	75
PID 1052 wrote to memory of 64	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	9
PID 1052 wrote to memory of 2268	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	23
PID 1052 wrote to memory of 2300	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	22
PID 1052 wrote to memory of 2440	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	21
PID 1052 wrote to memory of 3056	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	59
PID 1052 wrote to memory of 2796	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	38
PID 1052 wrote to memory of 3276	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	58
PID 1052 wrote to memory of 3376	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	57
PID 1052 wrote to memory of 3436	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	39
PID 1052 wrote to memory of 3580	1052	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe	56

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2300

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe
  "C:\Users\Admin\AppData\Local\Temp\a41b0fe99c855262c4834bd0e70af7f0c60a18ed0c07d40fb2269b073d4be99b.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1052
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1312

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry