Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 01:40
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe
Resource
win7-20240708-en
windows7-x64
4 signatures
150 seconds
General
-
Target
a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe
-
Size
1.3MB
-
MD5
60ebd53db1cfeb18ea54fa90643181aa
-
SHA1
4e6cbe305733ef316ae9f51a9910ca0d4dccdd9d
-
SHA256
a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc
-
SHA512
0b3d2cc9f337e882cf5c2bf8fc66a5c28b6d3239a06003ed9dd39521e5b9126ab1819df21420325094ebce6ccd244fe9c3db7f3dea8f49d78b75c1dbe1066e7c
-
SSDEEP
24576:1JeofAq/jp98z3kiHgVcosIeOeOe7OxmOocRLfzyFyT96I:zeofAaWkqKheOeOe7OxmHcR1t
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe rundll.exe" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\regsvr.exe" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\I: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\V: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\b: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\e: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\h: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\i: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\k: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\R: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\m: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\W: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\Z: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\l: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\x: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\L: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\Q: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\T: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\Y: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\n: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\y: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\X: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\q: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\r: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\G: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\S: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\U: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\p: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\z: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\J: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\N: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\O: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\P: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\g: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\u: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\t: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\E: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\H: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\K: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\M: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\a: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\j: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\s: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\v: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened (read-only) \??\w: a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\system = "Winhelp.exe" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3260-0-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b82-17.dat autoit_exe behavioral2/files/0x0031000000023b8a-45.dat autoit_exe behavioral2/memory/3260-118-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification F:\autorun.inf a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\winhelp.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\SysWOW64\winhelp.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\SysWOW64\setup.ini a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File created C:\Windows\SysWOW64\regsvr.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\SysWOW64\regsvr.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
resource yara_rule behavioral2/memory/3260-1-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-3-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-5-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-27-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-44-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-6-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-10-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-4-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-9-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-47-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-48-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-49-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-50-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-56-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-57-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-59-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-60-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-62-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-64-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-65-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-67-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-68-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-71-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-73-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-75-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-77-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-84-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-86-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-87-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-88-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-89-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-91-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-95-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-96-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-97-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-99-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-100-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-102-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-104-0x0000000003320000-0x00000000043AE000-memory.dmp upx behavioral2/memory/3260-109-0x0000000003320000-0x00000000043AE000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\winhelp.ini a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\winhelp.ini a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File created C:\Windows\regsvr.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\regsvr.exe a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe File opened for modification C:\Windows\SYSTEM.INI a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe Token: SeDebugPrivilege 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3260 wrote to memory of 788 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 8 PID 3260 wrote to memory of 796 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 9 PID 3260 wrote to memory of 380 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 13 PID 3260 wrote to memory of 2568 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 44 PID 3260 wrote to memory of 2576 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 45 PID 3260 wrote to memory of 2748 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 47 PID 3260 wrote to memory of 3540 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 56 PID 3260 wrote to memory of 3672 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 57 PID 3260 wrote to memory of 3844 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 58 PID 3260 wrote to memory of 3936 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 59 PID 3260 wrote to memory of 4000 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 60 PID 3260 wrote to memory of 4088 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 61 PID 3260 wrote to memory of 3896 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 62 PID 3260 wrote to memory of 1140 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 75 PID 3260 wrote to memory of 3700 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 76 PID 3260 wrote to memory of 1800 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 82 PID 3260 wrote to memory of 1800 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 82 PID 3260 wrote to memory of 1800 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 82 PID 1800 wrote to memory of 2052 1800 cmd.exe 84 PID 1800 wrote to memory of 2052 1800 cmd.exe 84 PID 1800 wrote to memory of 2052 1800 cmd.exe 84 PID 3260 wrote to memory of 1772 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 85 PID 3260 wrote to memory of 1772 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 85 PID 3260 wrote to memory of 1772 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 85 PID 1772 wrote to memory of 5032 1772 cmd.exe 87 PID 1772 wrote to memory of 5032 1772 cmd.exe 87 PID 1772 wrote to memory of 5032 1772 cmd.exe 87 PID 3260 wrote to memory of 788 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 8 PID 3260 wrote to memory of 796 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 9 PID 3260 wrote to memory of 380 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 13 PID 3260 wrote to memory of 2568 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 44 PID 3260 wrote to memory of 2576 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 45 PID 3260 wrote to memory of 2748 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 47 PID 3260 wrote to memory of 3540 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 56 PID 3260 wrote to memory of 3672 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 57 PID 3260 wrote to memory of 3844 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 58 PID 3260 wrote to memory of 3936 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 59 PID 3260 wrote to memory of 4000 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 60 PID 3260 wrote to memory of 4088 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 61 PID 3260 wrote to memory of 3896 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 62 PID 3260 wrote to memory of 1140 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 75 PID 3260 wrote to memory of 3700 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 76 PID 3260 wrote to memory of 788 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 8 PID 3260 wrote to memory of 796 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 9 PID 3260 wrote to memory of 380 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 13 PID 3260 wrote to memory of 2568 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 44 PID 3260 wrote to memory of 2576 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 45 PID 3260 wrote to memory of 2748 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 47 PID 3260 wrote to memory of 3540 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 56 PID 3260 wrote to memory of 3672 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 57 PID 3260 wrote to memory of 3844 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 58 PID 3260 wrote to memory of 3936 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 59 PID 3260 wrote to memory of 4000 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 60 PID 3260 wrote to memory of 4088 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 61 PID 3260 wrote to memory of 3896 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 62 PID 3260 wrote to memory of 1140 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 75 PID 3260 wrote to memory of 3700 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 76 PID 3260 wrote to memory of 788 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 8 PID 3260 wrote to memory of 796 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 9 PID 3260 wrote to memory of 380 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 13 PID 3260 wrote to memory of 2568 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 44 PID 3260 wrote to memory of 2576 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 45 PID 3260 wrote to memory of 2748 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 47 PID 3260 wrote to memory of 3540 3260 a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe 56 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe"C:\Users\Admin\AppData\Local\Temp\a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\winhelp.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\winhelp.exe4⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E5779C4_Rar\a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc.exe
Filesize1.2MB
MD5a18b755297c7ae6c15c287d734f69838
SHA12f464bf4f96f61fc39079a6988f6891f8f77c1c9
SHA256f7c85a45ab49471063ee03ab635c841d24a58217f921804ae1d11207f6278112
SHA512b953f3542aee875e1e9101340f66a05180bda14a6be758cc4f8bc4f9455f296822ca415c5be737ae35f51a2a031e6ab8bbefdcaf37c56ca828af89b07899b371
-
Filesize
96B
MD59ece103c47335f0cc777f1132b8d522f
SHA163afa171c64f86d99db81723e1335e960e85fa43
SHA25669815d4932ddde240ce6b1353305d2fab58ca402e9c478452c8e37ce8a7b2ac9
SHA512b1ac64c71c6338bf0ab33df938128822da680f20d0552edb2edb808f1c75bafb88467412fc8dc60ed8022a1f0c4f3fcbecb69a320ec871b3a766482f32d6eb05
-
Filesize
1.3MB
MD560ebd53db1cfeb18ea54fa90643181aa
SHA14e6cbe305733ef316ae9f51a9910ca0d4dccdd9d
SHA256a6fc4c24c39e27921ec425bf0efe3aad91bf81f0e50c7a964b076a897e1efefc
SHA5120b3d2cc9f337e882cf5c2bf8fc66a5c28b6d3239a06003ed9dd39521e5b9126ab1819df21420325094ebce6ccd244fe9c3db7f3dea8f49d78b75c1dbe1066e7c
-
Filesize
100KB
MD586b7c5402e044ccdda7111edbc91333e
SHA174f12f2737b06ff2aa82a4e19068a3992ec3a8d1
SHA256dbc8aac8a6536b12b3bd1325314321aeb1d3a49a0d3a046fc8d1bffe8ec7e89e
SHA5125d90a71fc6cf1129371e55e60fcdfd7d4a06ae2b7c925343d2b016eb885871d1ebaaf5a8331c20d59049e453c9ec339995a3c95ec5816f569c2cb2853ac41284