Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 05:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
120 seconds
General
-
Target
83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe
-
Size
416KB
-
MD5
5eada170dd29ecd50a783d0877e6f022
-
SHA1
d79443bc32e06f098a2f9449c02703e83b0705d5
-
SHA256
83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749
-
SHA512
8f27265ccfe24422027791076ef9b6f4cdfb011f2f1cb1b3b1bb5c5559f391cf23f2f6ec0ec4334063c6574f43b4fa4a15048c426d1173e4a71f51914c7d390c
-
SSDEEP
6144:UFfDAEl3nOvkGe/DDWGszKjV1eNHkG+ovUM3ep3DWhvhlWOAB:kwGDWGszKjV1eWGL5epTWhvhl1K
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation wscript.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\Y: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\S: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\J: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\R: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\W: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\T: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\U: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\O: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\G: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\M: 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\autorun.inf 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
resource yara_rule behavioral2/memory/1312-1-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-15-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-16-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-23-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-26-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-35-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-31-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-36-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-38-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-22-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-17-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-51-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-52-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-53-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-54-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-55-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-62-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-63-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-64-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-65-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-68-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-71-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-72-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-74-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-78-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-79-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-80-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-86-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-88-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-89-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-93-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-94-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-96-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-98-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-100-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-101-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-103-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-104-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-106-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/1312-176-0x0000000002480000-0x000000000353A000-memory.dmp upx -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File created C:\Program Files (x86)\Windows Installer Clean Up\readme.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi wscript.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File created C:\Program Files (x86)\Windows Installer Clean Up\msicuu.exe msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File created C:\Program Files (x86)\Windows Installer Clean Up\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\readme.txt wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapA.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapU.exe wscript.exe File opened for modification C:\Program Files\7-Zip\7z.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Unicode\MsiZap.exe msiexec.exe File opened for modification C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Ansi\MsiZap.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3E4C.tmp msiexec.exe File created C:\Windows\e57a1ce 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Windows\SYSTEM.INI 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{121634B0-2F4B-11D3-ADA3-00C04F52DD52} msiexec.exe File created C:\Windows\Installer\e583da2.msi msiexec.exe File created C:\Windows\Installer\e583da0.msi msiexec.exe File opened for modification C:\Windows\Installer\e583da0.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 5036 msiexec.exe 5036 msiexec.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe Token: SeDebugPrivilege 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1716 msiexec.exe 1716 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 1600 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 83 PID 1312 wrote to memory of 1600 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 83 PID 1312 wrote to memory of 1600 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 83 PID 1312 wrote to memory of 780 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 8 PID 1312 wrote to memory of 788 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 9 PID 1312 wrote to memory of 1020 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 13 PID 1312 wrote to memory of 3052 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 50 PID 1312 wrote to memory of 2692 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 51 PID 1312 wrote to memory of 776 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 53 PID 1312 wrote to memory of 3344 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 55 PID 1312 wrote to memory of 3564 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 57 PID 1312 wrote to memory of 3752 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 58 PID 1312 wrote to memory of 3856 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 59 PID 1312 wrote to memory of 3920 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 60 PID 1312 wrote to memory of 4000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 61 PID 1312 wrote to memory of 3664 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 62 PID 1312 wrote to memory of 2412 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 75 PID 1312 wrote to memory of 2000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 76 PID 1312 wrote to memory of 4784 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 81 PID 1312 wrote to memory of 1600 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 83 PID 1312 wrote to memory of 1600 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 83 PID 1600 wrote to memory of 1716 1600 wscript.exe 84 PID 1600 wrote to memory of 1716 1600 wscript.exe 84 PID 1600 wrote to memory of 1716 1600 wscript.exe 84 PID 1312 wrote to memory of 780 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 8 PID 1312 wrote to memory of 788 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 9 PID 1312 wrote to memory of 1020 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 13 PID 1312 wrote to memory of 3052 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 50 PID 1312 wrote to memory of 2692 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 51 PID 1312 wrote to memory of 776 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 53 PID 1312 wrote to memory of 3344 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 55 PID 1312 wrote to memory of 3564 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 57 PID 1312 wrote to memory of 3752 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 58 PID 1312 wrote to memory of 3856 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 59 PID 1312 wrote to memory of 3920 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 60 PID 1312 wrote to memory of 4000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 61 PID 1312 wrote to memory of 3664 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 62 PID 1312 wrote to memory of 2412 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 75 PID 1312 wrote to memory of 2000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 76 PID 1312 wrote to memory of 4784 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 81 PID 1312 wrote to memory of 1716 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 84 PID 1312 wrote to memory of 1716 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 84 PID 1312 wrote to memory of 780 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 8 PID 1312 wrote to memory of 788 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 9 PID 1312 wrote to memory of 1020 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 13 PID 1312 wrote to memory of 3052 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 50 PID 1312 wrote to memory of 2692 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 51 PID 1312 wrote to memory of 776 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 53 PID 1312 wrote to memory of 3344 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 55 PID 1312 wrote to memory of 3564 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 57 PID 1312 wrote to memory of 3752 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 58 PID 1312 wrote to memory of 3856 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 59 PID 1312 wrote to memory of 3920 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 60 PID 1312 wrote to memory of 4000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 61 PID 1312 wrote to memory of 3664 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 62 PID 1312 wrote to memory of 2412 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 75 PID 1312 wrote to memory of 2000 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 76 PID 1312 wrote to memory of 780 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 8 PID 1312 wrote to memory of 788 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 9 PID 1312 wrote to memory of 1020 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 13 PID 1312 wrote to memory of 3052 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 50 PID 1312 wrote to memory of 2692 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 51 PID 1312 wrote to memory of 776 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 53 PID 1312 wrote to memory of 3344 1312 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe 55 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2692
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe"C:\Users\Admin\AppData\Local\Temp\83c28113bcfc9054668a6a4213ff3d2b3f03ed4e96d3b18d78e4f6dbd9fb5749.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1312 -
C:\Windows\SysWOW64\wscript.exewscript StartMsi.vbs3⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi"4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1716
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3664
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2000
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4784
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5036 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3240
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5ecb61c34e4b1d973656c45b1688ce35e
SHA164972df26e1eaa17bbcd74e4bd0fb59b3d2205ba
SHA2569ff111f46e85e0047867669f2559720f740d89a80a62739b2418a061bbc6b5e8
SHA512303782573d2d17b8eb1fb145a45864526ab0d89c63fa9d9e27f05c6b02180b00eaf64bffa2477f7e3cbba533a55e35d094c7a9d54d5758b91f679ae8e09d61bb
-
Filesize
78KB
MD58ff91f846a078660b415d84bba98a003
SHA1cf3232b306f7fd00fbe33409012bf28a386c8bfe
SHA256f5b33d62b517b354c63a3a50f1e4859a9359d9f60c6e4408179960b4c15c5bcb
SHA512db7b2c9c01b109d466c0f30855428897a139f7448486bacbbca211ff2bf72a75eb2937a0f1315850be592893afccc058e1e32a7f0d874114a8148180fb37670d
-
Filesize
92KB
MD527d4bcc325306b1415a89de550528e04
SHA1bd3bd0bb8d2ec2637b1b74eb9bffa49da7ff3ce9
SHA256c8089b1734f68420e912978ac0dd29d8772b1f527d2bffbaaa9d3fad9f4051e5
SHA512d8c398e84a884a2c0d7b38022b76a46868e3e3ad0a01b7ba188c7fff208a4c79c1c31c14b6053f4f029c59b15c9bf01e145fb1c7f7dcb633c33c2c88428bc9a6
-
Filesize
1KB
MD571659e46173f3041a062e7a6893214dd
SHA1cea2db630e0af7072515b1127f24782d7870138f
SHA2562cf0d207aeb3e0b06d12082010d8477e8ad3e6fdbfbfbc24c131c605630b26dd
SHA512d4c0f72c2a70c85e71a9990aa43fa9c1e655745303cae0938b0509a952861f00e29e354f5c39cbe7687929da8014bd8c1fa854d66f4284591253018a8abad7f2
-
Filesize
40KB
MD506109701320fb25f00e004110676a6f2
SHA16b12c026ab9ef82c6616338a7c0d4e21eb76bf2d
SHA2565900ff42650c5588e005bea236783f0a5542e4c062ef37dd26cf073d233d287d
SHA512190eab99b946dbce16ec140bf1b7ef30b7b5d14d30e2b9e05c41951e2f34cceb268ddd0e2032e3137d327016002d2c059e7d040a446c4733f59ed6b521d82418
-
Filesize
461KB
MD53dd4ddbf695ee30ef83e5ef4e40ae3fe
SHA17d875c34100a56be3c37d962dc62668799b67dd6
SHA2566a83d34425923cd78c56b6970e237fa70702679d1ed84c3057ac38a4bb83f90d
SHA51232d8f6ffee7ee5e8feaa22023fc3363a8c9733479288ed2db29d9260f1ff5b8306d12d084a51cc575901e42a9d457f339d953ce3697daf108389808add0c94ff
-
Filesize
6KB
MD531f061b4053a587c987096ed824eff76
SHA1bf1c6c30bb85cae5976662503404fe92c19d3bf1
SHA2568d1fe9d8241d4b15e57f067c55a6d770cdad994fedc050aa3891e74edcf935da
SHA512234b1999476d1a3c6257d3f4925be845db90c626df5cd59634bb5aca8cc9d78966044ddce73cf5bc1b12c242bdabcd75335640271a5e4295ce8f3b035eea3be5
-
Filesize
97KB
MD5db60db722f4706522e6372b26937f41f
SHA17c752fa0afd260849a99eb6edefb9a051fa362c5
SHA25671edf4a2e9a39545565594148b802b558db16c60f3a3ee8908eca4cc46b6eb13
SHA512251389b876d0a96b6f2500076b715154a5a2f3370ce310ba8115edb4b085b64a097f31f03f0685a3f5f873d0abdedbd8fa26bb21b29a317ca858c2a6f9e20edd
-
Filesize
24.1MB
MD5b5a9e32405bbabbf5d511e6771e788ef
SHA1fad0d871c2dc1ed1f3f8757b2675b0c442a3f6c1
SHA25650544ffccfed882c1ab970bc1d7c442b549bc36fe0ced6dd2b464b235ceecb87
SHA51202aaaed59e80e939478d8daa07fabe98112be8cb68bd99b3936978b85752a77c684402271e629f62bbd903b364d82415a67f693bc077cfa5d56db700e483bc77
-
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0d067066-9688-44a8-9585-7d7c1a41e315}_OnDiskSnapshotProp
Filesize6KB
MD584d82e900ece1a4efcb47fa3dc78c924
SHA13d4a90d722b14b3532d30ff3d3fd1ff59e806013
SHA256f9399c6a4e10c9a85d101565eaa447725960501a521e553168f3e5fb2f3abaa7
SHA512e0b3c00a2b10596ee4ac46b273b18d3d6d2d75781290c8ee117ed3c1f1af54f5327c08749c900eb7afa83304ceaddbe27ebb59e6953a6a0f1623b05b34ea96dc