sality | b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2416-132-0x0000000002440000-0x00000000034CE000-memory.dmp	upx
behavioral2/memory/2416-134-0x0000000002440000-0x00000000034CE000-memory.dmp	upx
behavioral2/memory/2416-135-0x0000000002440000-0x00000000034CE000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\R:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\S:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\Z:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\F:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\J:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\M:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\P:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\T:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\U:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\X:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\Y:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\H:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\G:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\N:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\Q:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\V:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\W:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\E:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\L:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\O:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened (read-only)	\??\K:	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\inf\c_fshsm.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\kscaptur.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netmscli.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\smrvolume.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netrasa.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netvwififlt.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_fssystemrecovery.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mbtr8897w81x64.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmcxpv6.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmnis1u.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netnwifi.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmiodat.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netimm.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\lltdio.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmnis3t.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\nulhprs8.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\wfcvsc.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\wvmic_kvpexchange.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netvchannel.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\prnms003.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\tpmvsc.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_hidclass.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\displayoverride.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\hdaudss.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\hidbthle.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netserv.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_system.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmmcom.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netlldp.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\61883.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mvumis.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\net44amd.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\wvmic_ext.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\eaphost.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\hidserv.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmbw561.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmmega.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\wstorvsc.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmatm2k.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmgl009.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\miradisp.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\net1ic64.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netxex64.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmsuprv.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\sensorsalsdriver.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\xusb22.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmcom1.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmosi.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmtdkj3.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_fsquotamgmt.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmhaeu.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmjf56e.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmmetri.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\net9500-x64-n650f.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_smartcardreader.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmvdot.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\netvwwanmp.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\wvmic_guestinterface.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\cht4nulx64.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_scmdisk.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\mdmzyxlg.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_computer.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\c_dot4print.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
File created	C:\Windows\inf\ipmidrv.PNF	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
Token: SeDebugPrivilege	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 792	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	78
PID 2416 wrote to memory of 800	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	77
PID 2416 wrote to memory of 312	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	8
PID 2416 wrote to memory of 2428	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	44
PID 2416 wrote to memory of 2452	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	11
PID 2416 wrote to memory of 2772	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	38
PID 2416 wrote to memory of 372	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	36
PID 2416 wrote to memory of 3076	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	35
PID 2416 wrote to memory of 3268	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	34
PID 2416 wrote to memory of 3368	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	33
PID 2416 wrote to memory of 3432	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	12
PID 2416 wrote to memory of 3524	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	32
PID 2416 wrote to memory of 3680	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	31
PID 2416 wrote to memory of 4588	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	28
PID 2416 wrote to memory of 792	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	78
PID 2416 wrote to memory of 800	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	77
PID 2416 wrote to memory of 312	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	8
PID 2416 wrote to memory of 2428	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	44
PID 2416 wrote to memory of 2452	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	11
PID 2416 wrote to memory of 2772	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	38
PID 2416 wrote to memory of 372	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	36
PID 2416 wrote to memory of 3076	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	35
PID 2416 wrote to memory of 3268	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	34
PID 2416 wrote to memory of 3368	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	33
PID 2416 wrote to memory of 3432	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	12
PID 2416 wrote to memory of 3524	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	32
PID 2416 wrote to memory of 3680	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	31
PID 2416 wrote to memory of 4588	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	28
PID 2416 wrote to memory of 792	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	78
PID 2416 wrote to memory of 800	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	77
PID 2416 wrote to memory of 312	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	8
PID 2416 wrote to memory of 2428	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	44
PID 2416 wrote to memory of 2452	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	11
PID 2416 wrote to memory of 2772	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	38
PID 2416 wrote to memory of 372	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	36
PID 2416 wrote to memory of 3076	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	35
PID 2416 wrote to memory of 3268	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	34
PID 2416 wrote to memory of 3368	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	33
PID 2416 wrote to memory of 3432	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	12
PID 2416 wrote to memory of 3524	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	32
PID 2416 wrote to memory of 3680	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	31
PID 2416 wrote to memory of 4588	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	28
PID 2416 wrote to memory of 792	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	78
PID 2416 wrote to memory of 800	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	77
PID 2416 wrote to memory of 312	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	8
PID 2416 wrote to memory of 2428	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	44
PID 2416 wrote to memory of 2452	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	11
PID 2416 wrote to memory of 2772	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	38
PID 2416 wrote to memory of 372	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	36
PID 2416 wrote to memory of 3076	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	35
PID 2416 wrote to memory of 3268	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	34
PID 2416 wrote to memory of 3368	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	33
PID 2416 wrote to memory of 3432	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	12
PID 2416 wrote to memory of 3524	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	32
PID 2416 wrote to memory of 3680	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	31
PID 2416 wrote to memory of 4588	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	28
PID 2416 wrote to memory of 792	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	78
PID 2416 wrote to memory of 800	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	77
PID 2416 wrote to memory of 312	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	8
PID 2416 wrote to memory of 2428	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	44
PID 2416 wrote to memory of 2452	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	11
PID 2416 wrote to memory of 2772	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	38
PID 2416 wrote to memory of 372	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	36
PID 2416 wrote to memory of 3076	2416	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe
"C:\Users\Admin\AppData\Local\Temp\b9ca5e641ea25590c2eabc53cebdbf38f19f5c10c81e2b7c90761910de253759.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:372

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2428

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

Network

DNS

176.122.125.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.122.125.40.in-addr.arpa

IN PTR

Response

8.238.20.126:80

260 B
5
8.238.20.126:80

322 B
7
8.247.210.126:80

322 B
7
8.238.20.126:80

260 B
5
8.247.210.126:80

260 B
5
8.238.20.126:80

260 B
5
20.42.65.84:443

322 B
7
8.247.211.126:80

260 B
5
8.247.210.126:80

260 B
5
8.253.208.112:80

260 B
5
8.238.111.126:80

260 B
5
93.184.220.29:80

276 B
6

8.8.8.8:53

176.122.125.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

176.122.125.40.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery