Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
Resource
win10v2004-en-20220113
General
-
Target
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
-
Size
112KB
-
MD5
8b7611f961f0e2654905ef70c64643d8
-
SHA1
6179240e198d9cb07b2703be0b725f852303cc97
-
SHA256
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59
-
SHA512
708e2ba0d0703e0b392654f928b9c0f478d86a60be9568a0bc9bb080a21ee32fed24d8cdedfe1c6e6651918af6d13a0f23e730c40ae038448d99bcf728195737
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exepid process 1944 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{A9F77~1\EDGEMI~1.TMP\setup.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\BHO\IE_TO_~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe -
Drops file in Windows directory 7 IoCs
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exesvchost.exedescription ioc process File opened for modification C:\Windows\svchost.com 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
reg.exe359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff\ = "╣µ╚¡║« ╗τ┐δ ╛╚╟╘" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff\Icon = "C:\\Windows\\system32\\imageres.dll,101" reg.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe Token: SeShutdownPrivilege 2440 svchost.exe Token: SeCreatePagefilePrivilege 2440 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.execmd.execmd.exedescription pid process target process PID 3588 wrote to memory of 1944 3588 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe PID 3588 wrote to memory of 1944 3588 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe PID 3588 wrote to memory of 1944 3588 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe PID 1944 wrote to memory of 2284 1944 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe cmd.exe PID 1944 wrote to memory of 2284 1944 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe cmd.exe PID 2284 wrote to memory of 4392 2284 cmd.exe cmd.exe PID 2284 wrote to memory of 4392 2284 cmd.exe cmd.exe PID 4392 wrote to memory of 1292 4392 cmd.exe reg.exe PID 4392 wrote to memory of 1292 4392 cmd.exe reg.exe PID 2284 wrote to memory of 4788 2284 cmd.exe netsh.exe PID 2284 wrote to memory of 4788 2284 cmd.exe netsh.exe PID 2284 wrote to memory of 1200 2284 cmd.exe reg.exe PID 2284 wrote to memory of 1200 2284 cmd.exe reg.exe PID 2284 wrote to memory of 2704 2284 cmd.exe reg.exe PID 2284 wrote to memory of 2704 2284 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"C:\Users\Admin\AppData\Local\Temp\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B9D7.tmp\B9D8.bat C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall4⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall5⤵PID:1292
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state on4⤵PID:4788
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff" /v "Icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll,101" /f4⤵
- Modifies registry class
PID:1200 -
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff" /ve /t REG_SZ /d "╣µ╚¡║« ╗τ┐δ ╛╚╟╘" /f4⤵
- Modifies registry class
PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exeMD5
4c7f6c95f09cad4461bd307a2c66d3f8
SHA1add6f61d5490c5873872d313b8d0486ec08c3ed7
SHA256a3e6aa14ac199c4c051c2646a15bb1d6b6fdfc53afde6b0c43886d2b21e35927
SHA5123e0310da9041f6ecb8f3f12fd08076def65b4c9bdf14b48701d0c297571180f844d6c71d4c943eade5a4ad877ae471758584576c93188476ea92b3c313429da2
-
C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exeMD5
4c7f6c95f09cad4461bd307a2c66d3f8
SHA1add6f61d5490c5873872d313b8d0486ec08c3ed7
SHA256a3e6aa14ac199c4c051c2646a15bb1d6b6fdfc53afde6b0c43886d2b21e35927
SHA5123e0310da9041f6ecb8f3f12fd08076def65b4c9bdf14b48701d0c297571180f844d6c71d4c943eade5a4ad877ae471758584576c93188476ea92b3c313429da2
-
C:\Users\Admin\AppData\Local\Temp\B9D7.tmp\B9D8.batMD5
0eb9a79994c76138fede24c947c5b616
SHA14953b14a02ebd61c7f112e1be2f5befa41d82ca6
SHA256eb9a37341edc21ca2e5c199637269425d978ca3b41ae23d6486cd125204e0cca
SHA512b106115e734afc090645092effec1015f051d394897ca584601a5a6960686e7046021fde7ec94555fc3c4c3c42f59b81b2920e665e87b231bbe74e64aa4dea27
-
memory/2440-137-0x000001E482390000-0x000001E4823A0000-memory.dmpFilesize
64KB
-
memory/2440-144-0x000001E485770000-0x000001E485774000-memory.dmpFilesize
16KB