Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 09:32
Behavioral task
behavioral1
Sample
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Resource
win7-20240903-en
credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx
windows7-x64
33 signatures
150 seconds
Behavioral task
behavioral2
Sample
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Resource
win10v2004-20240802-en
credential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupx
windows10-2004-x64
35 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
-
Size
1.1MB
-
MD5
fb684a3f9bbd6b74e432a7ce5fba272b
-
SHA1
401906ba1767b901c4dfbeca1b786aceece5372a
-
SHA256
153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87
-
SHA512
2ba198fb88822d02b9586b847df42f82a58894c3a058bfc0de1b603da52470ec95cd8d37a34e8634bc225d0913891fec9bc498c49a314639768f10044b9192a2
-
SSDEEP
24576:5j8B3KleK6hPJ06jLEVPeTUlDKqVoNkU2uGp7mDYqwQeQFAtVqK0rU:Nw3KLAPJrjQeADK6oNGuqCvkQitEY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3208-0-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-40-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-58-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-59-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-61-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-64-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-68-0x0000000000F10000-0x0000000001166000-memory.dmp upx behavioral2/memory/3208-88-0x0000000000F10000-0x0000000001166000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Zdel2023 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe /desktop2" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\n: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\o: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\q: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\v: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\x: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\u: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\y: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\a: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\e: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\i: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\j: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\l: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\m: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\b: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\t: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\z: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\h: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\k: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\p: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\r: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\s: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened (read-only) \??\w: 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Indicator Removal: Clear Persistence 1 TTPs 9 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 2096 cmd.exe 4100 cmd.exe 1636 cmd.exe 2700 cmd.exe 736 cmd.exe 3944 cmd.exe 2092 cmd.exe 3056 cmd.exe 208 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3208-40-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-58-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-59-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-61-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-64-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-68-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe behavioral2/memory/3208-88-0x0000000000F10000-0x0000000001166000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bdpic.ico 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Windows\SysWOW64\Qdpd2881.dll 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Windows\SysWOW64\LeaveExit.log 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File created C:\Windows\SysWOW64\bdpic.ico 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files\Google 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files\Google\Chrome 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files (x86)\Google 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe File opened for modification C:\Program Files (x86)\Google\Temp 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\First Home Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TypedURLs 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Modifies data under HKEY_USERS 22 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Internet Explorer 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main\Start Page = "http://u.ub9.cn" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\ = "百度一下(&B)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\icon = "C:\\Windows\\SysWow64\\bdpic.ico" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\{E82A1BA7-3493-47e1-A673-9277E8695AFA}\command\ = "explorer.exe http://bd.dh021.com" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Runs .reg file with regedit 2 IoCs
pid Process 412 regedit.exe 1956 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 22932508 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 22938132 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 22937956 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 22939012 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 23037776 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 98784247826 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 576698258873367518 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 576699925320678366 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 34359738368 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 30137759528 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 1125904202072064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 0 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 100663297 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 103079215106 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 133707799604581452 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 576699083507088350 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 10088072226747382253 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 13792273858822144 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102020454142315384 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102025779901762424 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102029903070366584 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102042272576179064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102048629127777144 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102062373023124344 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102058249854520184 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102064950003501944 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102071306555100024 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102007397441735544 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102004133266590584 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102011177012956024 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102013925792025464 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102314504783268728 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102332887243295608 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102336151418440568 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102342336171346808 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102347833729485688 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102347490132102008 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102352815891549048 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102355564670618488 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102360890430065528 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102360546832681848 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102365185397361528 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102746647212723064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102749911387868024 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102758844919843704 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102758673121151864 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102759703913302904 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102764514276674424 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102769496438737784 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102772245217807224 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102789253288299384 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102793891852979064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102799733008501624 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 102861065141488504 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Token: 103447929472813944 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of SendNotifyMessage 57 IoCs
pid Process 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1568 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3208 wrote to memory of 4500 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 86 PID 3208 wrote to memory of 4500 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 86 PID 3208 wrote to memory of 4500 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 86 PID 3208 wrote to memory of 3220 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 88 PID 3208 wrote to memory of 3220 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 88 PID 3208 wrote to memory of 3220 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 88 PID 4500 wrote to memory of 2056 4500 cmd.exe 90 PID 4500 wrote to memory of 2056 4500 cmd.exe 90 PID 4500 wrote to memory of 2056 4500 cmd.exe 90 PID 4500 wrote to memory of 4732 4500 cmd.exe 91 PID 4500 wrote to memory of 4732 4500 cmd.exe 91 PID 4500 wrote to memory of 4732 4500 cmd.exe 91 PID 3220 wrote to memory of 1956 3220 cmd.exe 92 PID 3220 wrote to memory of 1956 3220 cmd.exe 92 PID 3220 wrote to memory of 1956 3220 cmd.exe 92 PID 3208 wrote to memory of 3228 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 93 PID 3208 wrote to memory of 3228 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 93 PID 3208 wrote to memory of 3228 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 93 PID 3208 wrote to memory of 5100 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 94 PID 3208 wrote to memory of 5100 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 94 PID 3208 wrote to memory of 5100 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 94 PID 3208 wrote to memory of 2300 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 95 PID 3208 wrote to memory of 2300 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 95 PID 3208 wrote to memory of 2300 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 95 PID 3208 wrote to memory of 3284 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 96 PID 3208 wrote to memory of 3284 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 96 PID 3208 wrote to memory of 3284 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 96 PID 3208 wrote to memory of 3856 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 97 PID 3208 wrote to memory of 3856 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 97 PID 3208 wrote to memory of 3856 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 97 PID 3208 wrote to memory of 3252 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 98 PID 3208 wrote to memory of 3252 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 98 PID 3208 wrote to memory of 3252 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 98 PID 3208 wrote to memory of 4660 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 109 PID 3208 wrote to memory of 4660 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 109 PID 3208 wrote to memory of 4660 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 109 PID 3208 wrote to memory of 4356 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 115 PID 3208 wrote to memory of 4356 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 115 PID 3208 wrote to memory of 4356 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 115 PID 4356 wrote to memory of 412 4356 cmd.exe 117 PID 4356 wrote to memory of 412 4356 cmd.exe 117 PID 4356 wrote to memory of 412 4356 cmd.exe 117 PID 3208 wrote to memory of 5048 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 118 PID 3208 wrote to memory of 5048 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 118 PID 3208 wrote to memory of 5048 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 118 PID 3208 wrote to memory of 1064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 120 PID 3208 wrote to memory of 1064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 120 PID 3208 wrote to memory of 1064 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 120 PID 3208 wrote to memory of 4052 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 125 PID 3208 wrote to memory of 4052 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 125 PID 3208 wrote to memory of 4052 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 125 PID 3208 wrote to memory of 2060 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 127 PID 3208 wrote to memory of 2060 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 127 PID 3208 wrote to memory of 2060 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 127 PID 3208 wrote to memory of 4988 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 129 PID 3208 wrote to memory of 4988 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 129 PID 3208 wrote to memory of 4988 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 129 PID 3208 wrote to memory of 736 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 131 PID 3208 wrote to memory of 736 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 131 PID 3208 wrote to memory of 736 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 131 PID 3208 wrote to memory of 208 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 132 PID 3208 wrote to memory of 208 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 132 PID 3208 wrote to memory of 208 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 132 PID 3208 wrote to memory of 2700 3208 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe 133 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe"C:\Users\Admin\AppData\Local\Temp\153441593965f380c830ea303ab0ed5848e80e9b8a04b2d0a43c295cc49fbf87.exe"1⤵
- Modifies WinLogon for persistence
- Modifies security service
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c (echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled ) | netsh2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo interface set interface "WLAN" enabled && echo interface set interface "±¾µØÍøÂç" enabled && echo interface set interface "±¾µØÍøÂç 2" enabled && echo interface set interface "ÒÔÌ«Íø" enabled )"3⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\netsh.exenetsh3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\baidu.reg3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Runs .reg file with regedit
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%programfiles%\SysCeo";"%programfiles(x86)%\SysCeo"2⤵
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%systemroot%\Help\dcold.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%userprofile%\Desktop\Çý¶¯×ܲÃ.lnk";"%homedrive%\Users\Public\Desktop\Çý¶¯×ܲÃ.lnk"2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /s /q /f "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Çý¶¯ÏÂÔØ.lnk"2⤵
- System Location Discovery: System Language Discovery
PID:3284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ"2⤵
- System Location Discovery: System Language Discovery
PID:3856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "%homedrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Çý¶¯×ܲÃ2.0"2⤵
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\DDF.sys2⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\Windows10_YH.REG2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\Windows10_YH.REG3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Runs .reg file with regedit
PID:412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Windows\Temp\officeclicktorun.exe_streamserver(20240802134952A2C).log2⤵
- System Location Discovery: System Language Discovery
PID:5048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Windows\Temp\ZEUYFSYD-20240802-1349.log2⤵
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\2⤵
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\2⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DEL /S /Q /F C:\Users\Admin\AppData\Local\Temp\twqNQzJK\2⤵
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Upgrade 2345Explorer Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Upgrade 2345Explorer Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Execute 2345Pinyin MiniPage Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pinyin_2345Upgrade Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Pinyin_2345Upgrade Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "KuGou Service Task Scheduler" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "KuGou Service Task Scheduler" /f3⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "WpsUpdateTask_Administrator" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "WpsUpdateTask_Administrator" /f3⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "Pic_2345Upgrade Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "Pic_2345Upgrade Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:1012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "360ZipUpdater" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "360ZipUpdater" /f3⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "QQBrowser Updater Task" /f3⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /tn "QQBrowser Updater Task(Core)" /f2⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "QQBrowser Updater Task(Core)" /f3⤵
- System Location Discovery: System Language Discovery
PID:3728
-
-
-
C:\Windows\SysWOW64\ctfmon.exeC:\Windows\SysWOW64\ctfmon.exe2⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD539216a24e615a402304bfa1a77c6dffd
SHA171394af3279365d748d406671a825c8cced2eb60
SHA256acd117ae727666402e8fdfb29aec89abbd8341435bbea0f860d4210d52c50ef1
SHA512b8a71ded49ddfa2eaf1cf5d8d61125092f6ad94f09eaa89091fa81cd966018f31b8b399feaea401caf2e93998d8f8376038637171e34dafcaae07a64f8da1c7f
-
Filesize
5KB
MD5642733a7bd04b267df22f128f54c6ed3
SHA12dc5d38b0155092c5883cee66884eb10adc4a5f3
SHA256fa8dc47742ee0190c8c7f2cc35f92793b3f142e5994f58d08610b51e2184c611
SHA51232efccc39b7f822ae30e7dcc47ce6b5391002caa503328a46aecf32dc8fd050acb18414d4aa76198ef40531315f3b56fa10b8e6b7176f26ef4b3e1ba55a64c30
-
Filesize
1KB
MD51130b796c24a344261b55cf5ab93bda2
SHA1d4f88039a9c4efb8631ad5e919aa8ff4ee3f00fd
SHA256d80c58afddec1995ae8f2635984aef568b6de1ee98ef74d7371c9687a82d3747
SHA512786ad731d3b332e4baba427e1adc001e6d1dd504659f3577c391ece1a092ee40f073f8885dd28a9d87fc73c77a7810e99c2d6dc5609c48ce64643b60b11153d5
-
Filesize
19KB
MD5f40d147c8a0028b0b6eb9ef26dd56a5e
SHA1a51a802b98bccb11e62d8dfd3ba8894342de1abf
SHA256760f22e3a1fa0b52a91a8a2b1a3b1c3c88a6cf3f52ac27f21f5f8abdd01c9ffa
SHA512b28149cdb19cb675499c65b214abb13d4a4d72369707617e360e3cafddfe7dd87aedd4aec7122b9ca4b92d1e448aa19d877053461e8c5355db4fb63c70073ab5
-
Filesize
752B
MD5f4a0f95f1785a0f1b2f83d04abd37e4a
SHA1794ef0460cc1f55cbde0bb74c74b991eee153cbb
SHA256f18ada26b94f662da2e3a9b800a851d86e9450d25cdcc2e8ea84565c803b59fa
SHA512e1f5e3f4b3fd1af418624047b530a4eedfa42011b3788fa7d7d305f3b1484caabcfedfbcb66972eec16e1e4786b6eb2ac0f8382562a70aa12dd3d4dc16250aa7
