Analysis
-
max time kernel
20s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 12:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe
Resource
win7-20240708-en
windows7-x64
19 signatures
120 seconds
General
-
Target
c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe
-
Size
248KB
-
MD5
f9f5290e97798bc904c365374f50f9f4
-
SHA1
bcdbf537e009e2004172bcd32888a3a90072ff36
-
SHA256
c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f
-
SHA512
84aa80ce030140be1d20ccf7960c01f10191259f43e2e18e1b45c2685fe2ca19e4fa8193875a25eacdf550d4c304e338326906133f0aee39dbd19b98f0ed04d4
-
SSDEEP
3072:rmsDm4U1esoRoNRkLUzQwF9qhnfNc5MOt8MaqHE8KXzOKSNzV9brTzTnxIH38MQL:rmgm4KoRIRkGQ4sxMMlMJ5tWHsLZOzo3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FTSafeNetRockey4NDService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -systray" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File opened (read-only) \??\E: c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File opened (read-only) \??\G: c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File opened (read-only) \??\H: c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File opened (read-only) \??\G: c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
resource yara_rule behavioral2/memory/244-5-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-3-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-7-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-20-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-8-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-23-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-24-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-28-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-35-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-46-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-47-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-39-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-54-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-59-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-61-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-62-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-38-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-29-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-30-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-26-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-25-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-6-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-4-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-63-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-64-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-65-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-68-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-67-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-66-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-73-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-75-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-80-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-79-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-82-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-84-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-83-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-86-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/244-95-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/244-93-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/3616-94-0x0000000000F70000-0x000000000202A000-memory.dmp upx behavioral2/memory/3616-98-0x0000000000F70000-0x000000000202A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a5c5 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File opened for modification C:\Windows\SYSTEM.INI c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe File created C:\Windows\e57a827 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_143 = "445575221" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_153 = "1708162645" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_36 = "3686305708" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_80 = "1510734181" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_94 = "4154041939" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_96 = "2671864080" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_111 = "2505192331" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_142 = "3325792288" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_164 = "73814789" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_168 = "1454542817" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_65 = "1747633210" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_85 = "2487457714" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_170 = "4267326263" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_70 = "248150475" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_74 = "1612173822" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_93 = "2722591527" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_104 = "1088365457" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_117 = "2316814689" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_129 = "2113929939" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_39 = "3652317580" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_46 = "670656195" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_151 = "3156919772" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_47 = "2051935252" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_63 = "3229809517" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_64 = "366296809" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_142 = "3325791242" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_156 = "862563300" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_162 = "1572727983" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_24 = "3418622841" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_41 = "2153391202" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_42 = "1051096100" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_48 = "3483413521" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_50 = "2017947426" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_53 = "1967220635" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_61 = "400312519" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_67 = "282266256" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_28 = "958252308" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_29 = "2372997084" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_174 = "1369824323" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_184 = "2615681118" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_79 = "2033472472" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_89 = "1358564827" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_40 = "738631377" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_149 = "360814438" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_158 = "2417029768" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_172 = "2835573229" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_10 = "1262583102" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_29 = "506903049" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_131 = "927122742" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_183 = "1200937557" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_49 = "603196365" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_88 = "4255506081" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_96 = "2671869728" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_129 = "2130929914" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_153 = "1691551922" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_26 = "2440329287" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_41 = "2170113611" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_119 = "851352016" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_143 = "462262132" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_169 = "2869290619" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_184 = "2599115137" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_84 = "2874756924" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_85 = "4289505423" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_130 = "3545249295" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Token: SeDebugPrivilege 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 244 wrote to memory of 2604 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 83 PID 244 wrote to memory of 2604 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 83 PID 244 wrote to memory of 2604 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 83 PID 244 wrote to memory of 772 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 8 PID 244 wrote to memory of 780 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 9 PID 244 wrote to memory of 392 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 13 PID 244 wrote to memory of 2672 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 44 PID 244 wrote to memory of 2696 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 45 PID 244 wrote to memory of 2980 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 51 PID 244 wrote to memory of 3356 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 55 PID 244 wrote to memory of 3524 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 57 PID 244 wrote to memory of 3744 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 58 PID 244 wrote to memory of 3864 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 59 PID 244 wrote to memory of 3936 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 60 PID 244 wrote to memory of 4028 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 61 PID 244 wrote to memory of 3396 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 62 PID 244 wrote to memory of 4832 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 74 PID 244 wrote to memory of 468 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 76 PID 244 wrote to memory of 4896 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 81 PID 244 wrote to memory of 2604 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 83 PID 244 wrote to memory of 2604 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 83 PID 3616 wrote to memory of 772 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 8 PID 3616 wrote to memory of 780 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 9 PID 3616 wrote to memory of 392 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 13 PID 3616 wrote to memory of 2672 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 44 PID 3616 wrote to memory of 2696 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 45 PID 3616 wrote to memory of 2980 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 51 PID 3616 wrote to memory of 3356 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 55 PID 3616 wrote to memory of 3524 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 57 PID 3616 wrote to memory of 3744 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 58 PID 3616 wrote to memory of 3864 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 59 PID 3616 wrote to memory of 3936 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 60 PID 3616 wrote to memory of 4028 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 61 PID 3616 wrote to memory of 3396 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 62 PID 3616 wrote to memory of 4832 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 74 PID 3616 wrote to memory of 468 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 76 PID 3616 wrote to memory of 4896 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 81 PID 3616 wrote to memory of 244 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 82 PID 3616 wrote to memory of 244 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 82 PID 244 wrote to memory of 772 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 8 PID 244 wrote to memory of 780 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 9 PID 244 wrote to memory of 392 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 13 PID 244 wrote to memory of 2672 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 44 PID 244 wrote to memory of 2696 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 45 PID 244 wrote to memory of 2980 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 51 PID 244 wrote to memory of 3356 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 55 PID 244 wrote to memory of 3524 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 57 PID 244 wrote to memory of 3744 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 58 PID 244 wrote to memory of 3864 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 59 PID 244 wrote to memory of 3936 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 60 PID 244 wrote to memory of 4028 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 61 PID 244 wrote to memory of 3396 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 62 PID 244 wrote to memory of 4832 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 74 PID 244 wrote to memory of 468 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 76 PID 244 wrote to memory of 4896 244 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 81 PID 3616 wrote to memory of 772 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 8 PID 3616 wrote to memory of 780 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 9 PID 3616 wrote to memory of 392 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 13 PID 3616 wrote to memory of 2672 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 44 PID 3616 wrote to memory of 2696 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 45 PID 3616 wrote to memory of 2980 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 51 PID 3616 wrote to memory of 3356 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 55 PID 3616 wrote to memory of 3524 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 57 PID 3616 wrote to memory of 3744 3616 c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:392
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2696
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2980
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe"C:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:244 -
C:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exeC:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -start3⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3396
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:468
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exeC:\Users\Admin\AppData\Local\Temp\c4ea8403fcc39e0b5917c9ecd928ec57e8fa422825df3bf399d3539bdf94343f.exe -dispatch1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5e3e8041235c2d95b141cfa993210f7d5
SHA18bd4509430e0dd28479d03d5e751433aaad33b75
SHA2562b14ba4cf87994644d308337ce672a9027a405e60f191e32c0e7fd4f8dccc49c
SHA512c49fb7cb8c76531ec00134d53c96dbc2e044b0263eb416a0ef8770042830b007a2ef89fbad7df33a31932f3c922bd512268d711ed5a9937432e9908243973706
-
Filesize
257B
MD5ae2002c5725cb2064a9719e922b6f0b9
SHA11cc80c9b247622137c535bcc4d4b0a34ec70c280
SHA2562003741f6f5cf84535ee5915f8a538a483f094941908faff42f4508773a6f1a6
SHA51237b47c2f140df233259021933050da1b809907789534c01a2b827904d249d10ed216b46857603c3550142682eefb30520b4a2cd712d1b64ed3c15e37944c5957
-
Filesize
301B
MD56e57202576d58f5d9e1bc3461a9e411b
SHA1925cce65e965b87ad06a88dc81b0265c2edd29ac
SHA25626bde5eca727ae7eb8c2ddff8520b409aabd2532ff776056f56b21161211f374
SHA51231f6ef8ac535944af12ca4f4ca6ac2cc99a47433f87e97bfdbb9fc8c08188fb6f860eb97ccb702efc4ebd13fc819a605ead2532775692e9bbe254ca52f8395a9
-
Filesize
97KB
MD5b9f63ae7ef18ab02cd7070c642106636
SHA10eed9172705a1222be90acd6668da829aa8184a2
SHA2565233eb1743f5ac84a78d21fbab03f60b6849abb31b7352ef1bd5e9e096f7a0e7
SHA512a69b84df9f42ed46ad3c50b5307f44d0134a9566eea2700138a21cf23157364d285003c649ce631a6cd3cb3b04f6c9de710c1e3b63a59658a7f55b33ae3c0f66
-
Filesize
286B
MD5f5c2cb56db4d95def9cbe55ed551e53b
SHA183a8a2fde5a776993607c94676310668223c3627
SHA256642900121fd89f2fc4d93c1ffd82abbbe8d41999f4aee9c65d035ad3b8164c0a
SHA5129edc22b3185458586ed9d8753387c29064c3eb32face9cf7347fec2082022b21494ef8e6d2431b77305e2c005ce80a5f91656b3355881dabb7d443890dd4cef5