Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe
Resource
win7-20220812-en
windows7-x64
12 signatures
150 seconds
General
-
Target
73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe
-
Size
304KB
-
MD5
0c8fa32f2e29f6c95cde5e444760c466
-
SHA1
2bbedb1a3be39ff375cafaedcee36d38e0042915
-
SHA256
73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b
-
SHA512
7eda9781f1533384f42242ee46bdafc0443b3cebe8edbc0dc2d2baf142e902158d3c98f8aa56fa4a61ad52bc6d9129901c4d470b1670a13d2faae8e8722c6194
-
SSDEEP
3072:Mkh3VK2aRS5VHwO8KdKiZuNuEJ+DPmvKUJ2SFHR41mqmjRE5lh0juIST3:PVQO8uZUEDUKK2SbW2REPh0Yz
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
resource yara_rule behavioral2/memory/2056-133-0x0000000002460000-0x00000000034EE000-memory.dmp upx behavioral2/memory/2056-134-0x0000000002460000-0x00000000034EE000-memory.dmp upx behavioral2/memory/2056-135-0x0000000002460000-0x00000000034EE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\G: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\K: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\L: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\S: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\V: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\W: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\I: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\M: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\P: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\Q: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\T: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\Z: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\F: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\R: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\U: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\E: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\H: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\J: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\N: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\O: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened (read-only) \??\Y: 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe Token: SeDebugPrivilege 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 772 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 5 PID 2056 wrote to memory of 780 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 79 PID 2056 wrote to memory of 332 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 6 PID 2056 wrote to memory of 2396 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 50 PID 2056 wrote to memory of 2408 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 49 PID 2056 wrote to memory of 2572 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 46 PID 2056 wrote to memory of 2180 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 40 PID 2056 wrote to memory of 688 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 39 PID 2056 wrote to memory of 3220 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 38 PID 2056 wrote to memory of 3340 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 37 PID 2056 wrote to memory of 3404 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 36 PID 2056 wrote to memory of 3504 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 35 PID 2056 wrote to memory of 3660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 34 PID 2056 wrote to memory of 4660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 31 PID 2056 wrote to memory of 3032 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 22 PID 2056 wrote to memory of 3140 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 19 PID 2056 wrote to memory of 1716 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 12 PID 2056 wrote to memory of 4976 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 83 PID 2056 wrote to memory of 772 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 5 PID 2056 wrote to memory of 780 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 79 PID 2056 wrote to memory of 332 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 6 PID 2056 wrote to memory of 2396 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 50 PID 2056 wrote to memory of 2408 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 49 PID 2056 wrote to memory of 2572 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 46 PID 2056 wrote to memory of 2180 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 40 PID 2056 wrote to memory of 688 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 39 PID 2056 wrote to memory of 3220 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 38 PID 2056 wrote to memory of 3340 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 37 PID 2056 wrote to memory of 3404 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 36 PID 2056 wrote to memory of 3504 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 35 PID 2056 wrote to memory of 3660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 34 PID 2056 wrote to memory of 4660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 31 PID 2056 wrote to memory of 3032 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 22 PID 2056 wrote to memory of 3140 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 19 PID 2056 wrote to memory of 772 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 5 PID 2056 wrote to memory of 780 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 79 PID 2056 wrote to memory of 332 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 6 PID 2056 wrote to memory of 2396 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 50 PID 2056 wrote to memory of 2408 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 49 PID 2056 wrote to memory of 2572 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 46 PID 2056 wrote to memory of 2180 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 40 PID 2056 wrote to memory of 688 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 39 PID 2056 wrote to memory of 3220 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 38 PID 2056 wrote to memory of 3340 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 37 PID 2056 wrote to memory of 3404 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 36 PID 2056 wrote to memory of 3504 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 35 PID 2056 wrote to memory of 3660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 34 PID 2056 wrote to memory of 4660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 31 PID 2056 wrote to memory of 3032 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 22 PID 2056 wrote to memory of 3140 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 19 PID 2056 wrote to memory of 772 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 5 PID 2056 wrote to memory of 780 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 79 PID 2056 wrote to memory of 332 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 6 PID 2056 wrote to memory of 2396 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 50 PID 2056 wrote to memory of 2408 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 49 PID 2056 wrote to memory of 2572 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 46 PID 2056 wrote to memory of 2180 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 40 PID 2056 wrote to memory of 688 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 39 PID 2056 wrote to memory of 3220 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 38 PID 2056 wrote to memory of 3340 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 37 PID 2056 wrote to memory of 3404 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 36 PID 2056 wrote to memory of 3504 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 35 PID 2056 wrote to memory of 3660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 34 PID 2056 wrote to memory of 4660 2056 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe"C:\Users\Admin\AppData\Local\Temp\73fd07c553921dbbb3c70048839882148792178db93a2ea6a56fee6fac5c2a1b.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3140
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3660
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3504
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3340
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:688
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2180
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2408
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2396
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:4976