Analysis
-
max time kernel
9s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
Resource
win7-20241023-en
windows7-x64
19 signatures
120 seconds
General
-
Target
cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
-
Size
248KB
-
MD5
83d98a6cd986e6b33ff55f52b79d3080
-
SHA1
ee8d6e58d27211c1c803e65f66307f85323bcdcc
-
SHA256
cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9f
-
SHA512
bf951003f45a2ddebf5a4d4295a85f4b13eeeef91d6d0e02bc579b6fc4da2140483c1183c65b447e31f180879a2e22d6ff64a6172650aaa54396dd7cb0b6afd3
-
SSDEEP
3072:rmsDm4U1esoRoNRkLUzQwF9qhnfNc5MOt8MaqHE8KXzOKSNzV9brTzTnxIH38MQj:rmgm4KoRIRkGQ4sxMMlMJ5tWHsLZOzov
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FTSafeNetRockey4NDService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -systray" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened (read-only) \??\H: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened (read-only) \??\H: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened (read-only) \??\E: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened (read-only) \??\E: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened (read-only) \??\G: cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
resource yara_rule behavioral2/memory/464-1-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-6-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-5-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-7-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-14-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-17-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-36-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-34-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-30-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-29-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-37-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-35-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-55-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-46-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-45-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-38-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-27-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-18-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-15-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-13-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-4-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-3-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-63-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-62-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-65-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-64-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-66-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-67-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-69-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/464-70-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-68-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/1036-71-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-74-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-75-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-76-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-77-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-78-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-80-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-82-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-85-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-86-0x0000000002410000-0x00000000034CA000-memory.dmp upx behavioral2/memory/1036-88-0x0000000000F50000-0x000000000200A000-memory.dmp upx behavioral2/memory/464-95-0x0000000002410000-0x00000000034CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57f0a9 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File opened for modification C:\Windows\SYSTEM.INI cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe File created C:\Windows\e57f2cc cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_113 = "952793306" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_125 = "749897027" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_126 = "2147917043" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_166 = "2695107978" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_169 = "2869290619" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_73 = "197425323" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_125 = "766637998" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_143 = "462262132" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_160 = "3021457034" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_161 = "141244939" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_86 = "1409286626" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_19 = "1110389928" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_45 = "3534140311" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_103 = "2895842491" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_109 = "3867042430" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_156 = "1657433748" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_187 = "2581681544" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_3 = "4260979152" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_26 = "2423718914" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_48 = "3466843577" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_53 = "940322022" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_130 = "3528678438" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_172 = "1164312510" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_173 = "3781576300" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_194 = "3878265467" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_1 = "1431319418" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_35 = "2271555253" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_15 = "2999623447" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_50 = "2017947426" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_50 = "2017948214" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_73 = "197420079" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_112 = "3849617017" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_123 = "2231926984" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_193 = "2463520659" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_200 = "3776828596" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_27 = "3838471105" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_69 = "3128365919" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_91 = "4120742199" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_122 = "784071591" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_166 = "2920016850" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_174 = "1353102954" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_189 = "3325279331" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_34 = "856802718" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_24 = "3889192904" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_27 = "4211480445" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_42 = "3584862110" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_80 = "1527284697" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_106 = "4174697772" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_111 = "2418260733" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_159 = "2367610595" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_22 = "1059695906" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_61 = "400318129" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_63 = "3229803321" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_59 = "1865782817" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_68 = "1713617420" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_84 = "2874756924" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_100 = "4052586053" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_107 = "379746755" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_146 = "394846754" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_150 = "1758877346" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S3_199 = "2378761644" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S4_66 = "3179087718" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S2_92 = "1307840101" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Qvoogn\S1_97 = "688254769" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Token: SeDebugPrivilege 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 464 wrote to memory of 4704 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 83 PID 464 wrote to memory of 4704 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 83 PID 464 wrote to memory of 4704 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 83 PID 464 wrote to memory of 792 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 9 PID 464 wrote to memory of 800 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 10 PID 464 wrote to memory of 332 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 13 PID 464 wrote to memory of 3000 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 50 PID 464 wrote to memory of 3032 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 51 PID 464 wrote to memory of 2844 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 52 PID 464 wrote to memory of 3432 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 56 PID 464 wrote to memory of 3536 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 57 PID 464 wrote to memory of 3720 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 58 PID 464 wrote to memory of 3816 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 59 PID 464 wrote to memory of 3920 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 60 PID 464 wrote to memory of 4004 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 61 PID 464 wrote to memory of 3892 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 62 PID 464 wrote to memory of 3648 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 75 PID 464 wrote to memory of 1392 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 76 PID 464 wrote to memory of 4376 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 99 PID 464 wrote to memory of 4704 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 83 PID 464 wrote to memory of 4704 464 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 83 PID 1036 wrote to memory of 792 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 9 PID 1036 wrote to memory of 800 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 10 PID 1036 wrote to memory of 332 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 13 PID 1036 wrote to memory of 3000 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 50 PID 1036 wrote to memory of 3032 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 51 PID 1036 wrote to memory of 2844 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 52 PID 1036 wrote to memory of 3432 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 56 PID 1036 wrote to memory of 3536 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 57 PID 1036 wrote to memory of 3720 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 58 PID 1036 wrote to memory of 3816 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 59 PID 1036 wrote to memory of 3920 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 60 PID 1036 wrote to memory of 4004 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 61 PID 1036 wrote to memory of 3892 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 62 PID 1036 wrote to memory of 3648 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 75 PID 1036 wrote to memory of 1392 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 76 PID 1036 wrote to memory of 4376 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 99 PID 1036 wrote to memory of 464 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 82 PID 1036 wrote to memory of 464 1036 cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe 82 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3032
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe"C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464 -
C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exeC:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -start3⤵
- System Location Discovery: System Language Discovery
PID:4704
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exeC:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -dispatch1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1036
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4376
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD55afed7320942ace85855da223b5ea8b2
SHA18c5e0fa587cfebc1dddf226a07be4d7665edcce6
SHA256f4fb09ad7ed1cd42ad3cb4ff1a26853c49832cedca61242a58cb640718a34bee
SHA51236ae4c3d2c231bdf1b458cda7ae6e23187180d78f587a845051af30fedadce7efcd9c1675da76626af99d028d7b8803757949cc9940b0df803e66d40ed7bc488
-
Filesize
10.6MB
MD567e6e37998718f746ba52eaf94c4c0a7
SHA183e7abe8c919c75660b4f7e327dae54a92064bb1
SHA2561dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000
SHA51221521aac07b47a3386dd789a5ccdbe0175799dfbfe5758670a35a6b642b89578ecfaa4e0086dfe3b734bce1af317671339aa2f5650705ac317b182c01c193f3c
-
Filesize
257B
MD57bc2d482dbfdc5e4951861ea2a117ad3
SHA10e41e36afb4e2e8dd5a741d987bf5a55e703aae5
SHA256275bb5d66bf9349f285cd7a6603c45d4cc3de618cf1ad7cfe317d11674c8fdfe
SHA51251036df6704a4b273b0e77cf3f5e59e88e39e4a4c3f480dcd46764deb1e53cf2c02f822e577c8dfaa23e23c49c0968f82bd1bf14c8ae587bec8dab026885b911
-
Filesize
197B
MD5a3d1c4f7a0387bfe6af0f122bfb7ebbf
SHA1e335c600cb2b9ccf81dd1705889b28860ff3a06a
SHA2563dd51967c65f7b1373313397e2af88fd5babcf850217544e2aa61717e52825fd
SHA5128e15036c7e675301a4624665f34e4620bade8178b53ac20961633db9f1499703739146ec6bbcb11158aeab248edeaf0aca8d84be8ecf4c46e00df7de7ff3a45b
-
Filesize
97KB
MD580a3d58c5d753030e6afc33f8c17fe0c
SHA1833f632e37ae295d97b6327f27283b5ba94fb200
SHA256f09fcd44fa10e1c52cd7634a7b6138d335c83d246061cc3d6473bd3cae33567a
SHA512084ed0aa81fd7758015f602663389dcc8c3c8d1da31c8d2765ea66497b502553c0be5c0d7079fd459aae12e9e4cc644a7a6489e86c8fcf03125b24538a7d3dfe
-
Filesize
245B
MD588146bed56fb07528592f88ac5454a34
SHA133efa206e3ba5b4a8fa43ea4b997a7f12a226c9e
SHA25646bce37fd86b6560f0a1535ed1d62938bcd586d46bf9d047264a198bd09aa517
SHA51280c15e5aa3145f6912df6774ca94c211c8df277a8ec42624d2c58cf426f7fc44a50ce5d15547563377108dee2cc4be26bd47264aba3349d8165f6bee99cde95b