Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2023, 01:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe
Resource
win7-20230712-en
windows7-x64
14 signatures
150 seconds
General
-
Target
4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe
-
Size
2.4MB
-
MD5
611f20578e4592cce15f3e67919e90df
-
SHA1
0015e9fb936dd9100ad5ee5921b4d099e9020545
-
SHA256
4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3
-
SHA512
91aaaa5263f569cad85664b2f16f44bf3629677a033c986397cc03bb2a76a91694ef8ff21631ead8568e75bc6cc9784c2402ba1dbb8ad491065ca01196840797
-
SSDEEP
49152:zdCCMb0bljXPznMoH44/g51p7KieVcOxaRjDROOs:zUK5Px44/aKieJIRY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
resource yara_rule behavioral2/memory/3000-1-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-3-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-4-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-8-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-10-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-16-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-18-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-19-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-21-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-20-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-22-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-23-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-24-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-25-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-33-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-34-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-35-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-37-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-39-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-40-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-44-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-47-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-43-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-53-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-54-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-57-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-58-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-69-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-70-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-72-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-73-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-75-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-77-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-79-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-80-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-82-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-85-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-87-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-90-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-92-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-93-0x0000000002600000-0x00000000036BA000-memory.dmp upx behavioral2/memory/3000-94-0x0000000002600000-0x00000000036BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\U: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\W: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\Y: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\G: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\J: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\M: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\N: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\P: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\X: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\Z: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\E: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\H: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\L: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\Q: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\V: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\K: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\R: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened (read-only) \??\S: 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification F:\autorun.inf 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\7-Zip\7z.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe File created C:\Windows\e579172 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "1" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "11000" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe Token: SeDebugPrivilege 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 816 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 17 PID 3000 wrote to memory of 824 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 16 PID 3000 wrote to memory of 380 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 9 PID 3000 wrote to memory of 2680 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 49 PID 3000 wrote to memory of 2756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 50 PID 3000 wrote to memory of 2964 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 52 PID 3000 wrote to memory of 3188 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 79 PID 3000 wrote to memory of 3300 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 78 PID 3000 wrote to memory of 3536 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 77 PID 3000 wrote to memory of 3692 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 76 PID 3000 wrote to memory of 3756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 75 PID 3000 wrote to memory of 3904 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 74 PID 3000 wrote to memory of 3648 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 54 PID 3000 wrote to memory of 5108 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 72 PID 3000 wrote to memory of 3876 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 65 PID 3000 wrote to memory of 816 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 17 PID 3000 wrote to memory of 824 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 16 PID 3000 wrote to memory of 380 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 9 PID 3000 wrote to memory of 2680 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 49 PID 3000 wrote to memory of 2756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 50 PID 3000 wrote to memory of 2964 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 52 PID 3000 wrote to memory of 3188 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 79 PID 3000 wrote to memory of 3300 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 78 PID 3000 wrote to memory of 3536 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 77 PID 3000 wrote to memory of 3692 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 76 PID 3000 wrote to memory of 3756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 75 PID 3000 wrote to memory of 3904 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 74 PID 3000 wrote to memory of 3648 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 54 PID 3000 wrote to memory of 5108 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 72 PID 3000 wrote to memory of 3876 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 65 PID 3000 wrote to memory of 816 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 17 PID 3000 wrote to memory of 824 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 16 PID 3000 wrote to memory of 380 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 9 PID 3000 wrote to memory of 2680 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 49 PID 3000 wrote to memory of 2756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 50 PID 3000 wrote to memory of 2964 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 52 PID 3000 wrote to memory of 3188 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 79 PID 3000 wrote to memory of 3300 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 78 PID 3000 wrote to memory of 3536 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 77 PID 3000 wrote to memory of 3692 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 76 PID 3000 wrote to memory of 3756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 75 PID 3000 wrote to memory of 3904 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 74 PID 3000 wrote to memory of 3648 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 54 PID 3000 wrote to memory of 5108 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 72 PID 3000 wrote to memory of 3876 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 65 PID 3000 wrote to memory of 816 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 17 PID 3000 wrote to memory of 824 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 16 PID 3000 wrote to memory of 380 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 9 PID 3000 wrote to memory of 2680 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 49 PID 3000 wrote to memory of 2756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 50 PID 3000 wrote to memory of 2964 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 52 PID 3000 wrote to memory of 3188 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 79 PID 3000 wrote to memory of 3300 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 78 PID 3000 wrote to memory of 3536 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 77 PID 3000 wrote to memory of 3692 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 76 PID 3000 wrote to memory of 3756 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 75 PID 3000 wrote to memory of 3904 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 74 PID 3000 wrote to memory of 3648 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 54 PID 3000 wrote to memory of 5108 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 72 PID 3000 wrote to memory of 3876 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 65 PID 3000 wrote to memory of 816 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 17 PID 3000 wrote to memory of 824 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 16 PID 3000 wrote to memory of 380 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 9 PID 3000 wrote to memory of 2680 3000 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe 49 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:824
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2756
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3648
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5108
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe"C:\Users\Admin\AppData\Local\Temp\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57CEE9_Rar\4137132f1609f11be0270963000169b5448177cdc78de41a8e5d2bb2b1dfb4a3.exe
Filesize2.3MB
MD5a7de6345d3efe5348a8673d43f7bb6d1
SHA1977541ed79abb51ac6113cad643d85cfd5650175
SHA25640fb53f4b16f3b9fce2923eb5c3d22b4b094e4411551f4e5aea7f3096a5bf3f8
SHA5123b59019f726336ed71f402738b58881e8c104e6c1fab12dfd7b8e342d3316cce9c86dced414ce9c22cbb8437a906cb1204486b6c69780bdd82897633c10a7c76
-
Filesize
97KB
MD594938a01b3dd75143e9bf2aa2261d4ca
SHA146b90d16277258b5141d2cd97511ecb785dc18d0
SHA256263eb7ce78fb95abdf8e20bf26d3bae7fd5eeb6295efd4c032ef164c3a56999a
SHA512e20c40b3ae54051b4f434cf307b61f0d68ae4537af604e1405bcd598342512f836003bfdaec4b60673c639c3c2ef1de1c290491d09dc00fc25846c6c973b78d0