sality | 7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

Analysis

max time kernel
160s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Size

440KB
MD5

09456befc94d8d0974692376f98dc8f0
SHA1

faa8817a2e6b99223acbd98a8dca1f205824ddd0
SHA256

7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2
SHA512

01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8
SSDEEP

6144:9IbELf/Ml/cWdi5pV/JNWOVhMcE/NcvEIm/d:AdOpNX1hE3I+

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Modifies visibility of file extensions in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Commgr.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinAlert.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WinSysApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Commgr.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 10 IoCs

pid	Process
4268	WinAlert.exe
1380	WinSysApp.exe
5108	Commgr.exe
4240	WinAlert.exe
3496	Commgr.exe
2208	Commgr.exe
1628	WinSysApp.exe
396	Commgr.exe
2692	WinSysApp.exe
2524	Commgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3536-133-0x00000000021E0000-0x000000000326E000-memory.dmp	upx
behavioral2/memory/3536-134-0x00000000021E0000-0x000000000326E000-memory.dmp	upx
behavioral2/memory/3536-172-0x00000000021E0000-0x000000000326E000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinSysApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinAlert.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinAlert.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	Commgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe"	Commgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe"	WinSysApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe"	WinSysApp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\P:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\Q:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\S:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\T:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\V:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\I:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\J:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\N:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\O:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\W:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\X:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\Y:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\F:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\K:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\R:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\H:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\M:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\U:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\Z:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\E:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened (read-only)	\??\G:	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinSysApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WinAlert.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
Token: SeDebugPrivilege	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 788	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	13
PID 3536 wrote to memory of 792	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	12
PID 3536 wrote to memory of 1020	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	9
PID 3536 wrote to memory of 2336	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	59
PID 3536 wrote to memory of 2360	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	58
PID 3536 wrote to memory of 2464	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	34
PID 3536 wrote to memory of 2440	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	30
PID 3536 wrote to memory of 2740	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	29
PID 3536 wrote to memory of 3252	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	28
PID 3536 wrote to memory of 3356	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	27
PID 3536 wrote to memory of 3456	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	25
PID 3536 wrote to memory of 3572	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	57
PID 3536 wrote to memory of 3764	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	56
PID 3536 wrote to memory of 4620	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	54
PID 3536 wrote to memory of 2320	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	42
PID 3536 wrote to memory of 4268	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	82
PID 3536 wrote to memory of 4268	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	82
PID 3536 wrote to memory of 4268	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	82
PID 3536 wrote to memory of 1380	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	83
PID 3536 wrote to memory of 1380	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	83
PID 3536 wrote to memory of 1380	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	83
PID 3536 wrote to memory of 5108	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	85
PID 3536 wrote to memory of 5108	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	85
PID 3536 wrote to memory of 5108	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	85
PID 3536 wrote to memory of 4240	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	84
PID 3536 wrote to memory of 4240	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	84
PID 3536 wrote to memory of 4240	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	84
PID 3536 wrote to memory of 3496	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	86
PID 3536 wrote to memory of 3496	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	86
PID 3536 wrote to memory of 3496	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	86
PID 3536 wrote to memory of 2208	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	87
PID 3536 wrote to memory of 2208	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	87
PID 3536 wrote to memory of 2208	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	87
PID 4240 wrote to memory of 1628	4240	WinAlert.exe	88
PID 4240 wrote to memory of 1628	4240	WinAlert.exe	88
PID 4240 wrote to memory of 1628	4240	WinAlert.exe	88
PID 4240 wrote to memory of 396	4240	WinAlert.exe	89
PID 4240 wrote to memory of 396	4240	WinAlert.exe	89
PID 4240 wrote to memory of 396	4240	WinAlert.exe	89
PID 3536 wrote to memory of 2692	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	90
PID 3536 wrote to memory of 2692	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	90
PID 3536 wrote to memory of 2692	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	90
PID 1380 wrote to memory of 2524	1380	WinSysApp.exe	91
PID 1380 wrote to memory of 2524	1380	WinSysApp.exe	91
PID 1380 wrote to memory of 2524	1380	WinSysApp.exe	91
PID 3536 wrote to memory of 788	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	13
PID 3536 wrote to memory of 792	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	12
PID 3536 wrote to memory of 1020	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	9
PID 3536 wrote to memory of 2336	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	59
PID 3536 wrote to memory of 2360	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	58
PID 3536 wrote to memory of 2464	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	34
PID 3536 wrote to memory of 2440	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	30
PID 3536 wrote to memory of 2740	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	29
PID 3536 wrote to memory of 3252	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	28
PID 3536 wrote to memory of 3356	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	27
PID 3536 wrote to memory of 3456	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	25
PID 3536 wrote to memory of 3572	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	57
PID 3536 wrote to memory of 3764	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	56
PID 3536 wrote to memory of 4620	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	54
PID 3536 wrote to memory of 2320	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	42
PID 3536 wrote to memory of 1380	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	83
PID 3536 wrote to memory of 1380	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	83
PID 3536 wrote to memory of 4240	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	84
PID 3536 wrote to memory of 4240	3536	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe	84

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2440
- C:\Users\Admin\AppData\Local\Temp\7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe
  "C:\Users\Admin\AppData\Local\Temp\7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3536
- - C:\Program Files\Windows Alerter\WinAlert.exe
    "C:\Program Files\Windows Alerter\WinAlert.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4268
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      PID:2524
- - C:\Program Files\Windows Alerter\WinAlert.exe
    "C:\Program Files\Windows Alerter\WinAlert.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
      "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      PID:1628
  - - C:\Program Files\Windows Common Files\Commgr.exe
      "C:\Program Files\Windows Common Files\Commgr.exe"
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      PID:396
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5108
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3496
- - C:\Program Files\Windows Common Files\Commgr.exe
    "C:\Program Files\Windows Common Files\Commgr.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2208
- - C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
    "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2692

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Alerter\WinAlert.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\Program Files\Windows Common Files\Commgr.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Filesize
440KB

MD5
09456befc94d8d0974692376f98dc8f0

SHA1
faa8817a2e6b99223acbd98a8dca1f205824ddd0

SHA256
7cfd80580b6ef8c70a266bd8273c2327acaa162d44933ddbc1407b8f6f7b5ab2

SHA512
01cd3863679c8f303d60b7c952f36b9e30d600520770784ec6d7556f83bc9e3c38201eaf6566e860be0539c3b33a7417abf0766f351cf8151784dfb2d21959b8

Download Submit
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

Filesize
227B

MD5
cf60712de332d62b1c03660b67cb76d4

SHA1
71f1dff6b3a7d4ab780dcae513efd3ca358a08ac

SHA256
6d41fbe3c0015ce183ca361e818b3ee6b20935c9ec8b23585b03ac414a38ec08

SHA512
2a3259bb782c4093c62d299e8a8e116cce50c77f251177a70bad6ec19f53ec6025c739b73cdb8e646dab3dcfc6a9f1bd25a16ac423b7b5462a73ecab76eca313

Download Submit
memory/396-166-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1380-148-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1380-174-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1628-165-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2208-164-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2524-171-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2524-168-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2692-167-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3496-154-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3496-169-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3536-132-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3536-134-0x00000000021E0000-0x000000000326E000-memory.dmp

Filesize
16.6MB

Download
memory/3536-172-0x00000000021E0000-0x000000000326E000-memory.dmp

Filesize
16.6MB

Download
memory/3536-173-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3536-133-0x00000000021E0000-0x000000000326E000-memory.dmp

Filesize
16.6MB

Download
memory/4240-150-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4240-176-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4268-147-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5108-149-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5108-175-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download