c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae

Analysis

max time kernel
154s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Size

388KB
MD5

f889a57591697bde1036a231a29c3207
SHA1

3ba251d27b16bde14c3776d879db5b50166bb72e
SHA256

c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae
SHA512

460f6a087fca6a4d5c594a357ca53502748aad7b73e2d50cbf804ff72cadaa3772c467b5547f8f6c3093265f6082eb09063ce3606f5c26bce4900d5efedf7b09
SSDEEP

6144:CYZTNk3D6LyUXwLLk+cR3qh0GQ43VJRD0ew+/hOvK2o4nFOrz0Ypzu/S8+k7B7:CSNC80I+cR3R03VseXOvc4krwSzW+kt7

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe chrome.exe"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Disables Task Manager via registry modification
evasion

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/712-132-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/712-133-0x00000000036D0000-0x00000000046FA000-memory.dmp	upx
behavioral2/memory/712-134-0x00000000036D0000-0x00000000046FA000-memory.dmp	upx
behavioral2/memory/712-135-0x00000000036D0000-0x00000000046FA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\chrome.exe"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\v:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\y:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\f:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\n:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\s:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\x:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\e:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\h:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\m:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\p:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\r:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\z:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\i:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\j:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\k:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\l:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\o:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\q:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\t:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\w:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\a:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\b:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened (read-only)	\??\g:	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\d:\autorun.inf	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\CHROME.EXE	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File created	C:\Windows\SysWOW64\chrome.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\Windows\SysWOW64\chrome.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\Windows\SysWOW64\autorun.ini	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File created	C:\Windows\chrome.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
File opened for modification	C:\Windows\chrome.exe	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://h1.ripway.com/poojasharma/index.html"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://h1.ripway.com/poojasharma/index.html"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://h1.ripway.com/poojasharma/index.html"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://h1.ripway.com/poojasharma/index.html"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://h1.ripway.com/poojasharma/index.html"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
Token: SeDebugPrivilege	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 784	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	9
PID 712 wrote to memory of 792	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	14
PID 712 wrote to memory of 1016	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	10
PID 712 wrote to memory of 2524	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	43
PID 712 wrote to memory of 2536	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	59
PID 712 wrote to memory of 2636	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	57
PID 712 wrote to memory of 740	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	54
PID 712 wrote to memory of 3100	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	53
PID 712 wrote to memory of 3304	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	52
PID 712 wrote to memory of 3396	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	49
PID 712 wrote to memory of 3460	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	50
PID 712 wrote to memory of 3548	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	51
PID 712 wrote to memory of 3700	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	60
PID 712 wrote to memory of 4540	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	63
PID 712 wrote to memory of 4320	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	78
PID 712 wrote to memory of 376	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	75
PID 712 wrote to memory of 2752	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	76
PID 712 wrote to memory of 784	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	9
PID 712 wrote to memory of 792	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	14
PID 712 wrote to memory of 1016	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	10
PID 712 wrote to memory of 2524	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	43
PID 712 wrote to memory of 2536	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	59
PID 712 wrote to memory of 2636	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	57
PID 712 wrote to memory of 740	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	54
PID 712 wrote to memory of 3100	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	53
PID 712 wrote to memory of 3304	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	52
PID 712 wrote to memory of 3396	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	49
PID 712 wrote to memory of 3460	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	50
PID 712 wrote to memory of 3548	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	51
PID 712 wrote to memory of 3700	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	60
PID 712 wrote to memory of 4540	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	63
PID 712 wrote to memory of 4320	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	78
PID 712 wrote to memory of 376	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	75
PID 712 wrote to memory of 2752	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	76
PID 712 wrote to memory of 4172	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	86
PID 712 wrote to memory of 4172	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	86
PID 712 wrote to memory of 4172	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	86
PID 712 wrote to memory of 784	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	9
PID 712 wrote to memory of 792	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	14
PID 712 wrote to memory of 1016	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	10
PID 712 wrote to memory of 2524	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	43
PID 712 wrote to memory of 2536	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	59
PID 712 wrote to memory of 2636	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	57
PID 712 wrote to memory of 740	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	54
PID 712 wrote to memory of 3100	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	53
PID 712 wrote to memory of 3304	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	52
PID 712 wrote to memory of 3396	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	49
PID 712 wrote to memory of 3460	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	50
PID 712 wrote to memory of 3548	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	51
PID 712 wrote to memory of 3700	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	60
PID 712 wrote to memory of 4540	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	63
PID 712 wrote to memory of 4320	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	78
PID 712 wrote to memory of 376	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	75
PID 712 wrote to memory of 2752	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	76
PID 712 wrote to memory of 4172	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	86
PID 712 wrote to memory of 4172	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	86
PID 712 wrote to memory of 3532	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	87
PID 712 wrote to memory of 784	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	9
PID 712 wrote to memory of 792	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	14
PID 712 wrote to memory of 1016	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	10
PID 712 wrote to memory of 2524	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	43
PID 712 wrote to memory of 2536	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	59
PID 712 wrote to memory of 2636	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	57
PID 712 wrote to memory of 740	712	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe	54

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe
  "C:\Users\Admin\AppData\Local\Temp\c4916e4e8c3618bf1ca62a5f00bd2f1ad6ac65b0fb3166ff683c447b527a0bae.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:4172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\chrome.exe
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\chrome.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    PID:1084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\system volume information" /e /g "Admin":f
      4⤵
      PID:2312
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3532

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:376

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2752

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4320

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3144

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/712-132-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/712-133-0x00000000036D0000-0x00000000046FA000-memory.dmp

Filesize
16.2MB

Download
memory/712-134-0x00000000036D0000-0x00000000046FA000-memory.dmp

Filesize
16.2MB

Download
memory/712-135-0x00000000036D0000-0x00000000046FA000-memory.dmp

Filesize
16.2MB

Download
memory/1140-149-0x00000000010B0000-0x00000000010C4000-memory.dmp

Filesize
80KB

Download
memory/1536-164-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/1656-158-0x0000000000900000-0x0000000000914000-memory.dmp

Filesize
80KB

Download
memory/1776-170-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/2668-152-0x0000000000E60000-0x0000000000E74000-memory.dmp

Filesize
80KB

Download
memory/3012-168-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/3052-147-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/3116-145-0x0000000000860000-0x0000000000874000-memory.dmp

Filesize
80KB

Download
memory/3412-162-0x0000000000DB0000-0x0000000000DC4000-memory.dmp

Filesize
80KB

Download
memory/3532-174-0x0000000000A70000-0x0000000000A84000-memory.dmp

Filesize
80KB

Download
memory/3652-172-0x0000000001040000-0x0000000001054000-memory.dmp

Filesize
80KB

Download
memory/3880-160-0x0000000001220000-0x0000000001234000-memory.dmp

Filesize
80KB

Download
memory/4192-139-0x0000000001030000-0x0000000001044000-memory.dmp

Filesize
80KB

Download
memory/4564-141-0x00000000006B0000-0x00000000006C4000-memory.dmp

Filesize
80KB

Download
memory/4692-166-0x0000000000A20000-0x0000000000A34000-memory.dmp

Filesize
80KB

Download
memory/4712-154-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download