neshta | 029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7

Analysis

max time kernel
18s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Size

108KB
MD5

8a7b052532e2591124fb12b7ca6b7d40
SHA1

3bdb0a04ead94c7a6aae5d0e9226f471816336e4
SHA256

029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7
SHA512

77a1f088f68bf87e6ac494e3be968d54055b706b37a11a5f48c2adcbef72cf9c8ea43cd039c4fa93472dd77c6fe092ba3f072811dc0ce5c3fd3ce76d313050cb
SSDEEP

1536:JxqjQ+P04wsmJCyGQXCK+xtaRltoMk++H2r5t9PHXttTr7qz0IJgYH/wHwYMS+4o:sr85CeF6apnkLW/HX37kgewHTMSLo

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010319-12.dat	family_neshta
behavioral1/memory/2036-513-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2036-515-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Loads dropped DLL 60 IoCs

pid	Process
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSINFO\MSINFO32.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPLAYER.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\IEINSTAL.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\IELOWUTIL.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPSHARE.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMLAUNCH.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\SIDEBAR.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\INK\MIP.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~3\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPCONFIG.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Suspicious behavior: MapViewOfSection 24 IoCs

pid	Process
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeChangeNotifyPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeTakeOwnershipPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeRestorePrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
Token: SeBackupPrivilege	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2020	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	30
PID 2036 wrote to memory of 2020	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	30
PID 2036 wrote to memory of 2020	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	30
PID 2036 wrote to memory of 2020	2036	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	30
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 384	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	3
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 392	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	4
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 432	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	5
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 476	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	6
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 492	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	7
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 500	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	8
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 592	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	9
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 668	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	10
PID 2020 wrote to memory of 744	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	11
PID 2020 wrote to memory of 744	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	11
PID 2020 wrote to memory of 744	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	11
PID 2020 wrote to memory of 744	2020	029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe	11

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1244
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:352
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1156
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:840
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:328
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1092
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1524
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2256
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2120
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
  "C:\Users\Admin\AppData\Local\Temp\029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\3582-490\029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\029341651d1d9c9319085dd91146dc7602827378cc6b6a1b30a8d926fa2728a7N.exe

Filesize
68KB

MD5
1eb49c7183edba47934347f631b82fc9

SHA1
6000502e2993d8d6e46c3c16784d9e91367abc1a

SHA256
d9013c944a1d780562d8f5cda164614703682600df4ec299190ab68f0cca845a

SHA512
f30a6610d6346dac4b53ab9b10f34d3303040d42beec0a4e042be6d71b101509481f4eee3ae36d0bb15d0091ec1e155cd63ea89f0ffda9a8b8f2f6b59aed779d

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
280KB

MD5
989c5f107017114f6c1b702662428f38

SHA1
cdf24632d5019dc2311817e5b973cff3bba03bd3

SHA256
bb9f69286b0bf23ec4299c85ae08966b77f6646bc17990401cd2cef9ea72601a

SHA512
cff21470788cf2755d1fe24fe0e9f23d5c3b42bbf9c4e984759b5d0120acae376a6dbbebaefe99f190797c108204bd6e1895ead57b5aef13f634024292c7beb8

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe

Filesize
322KB

MD5
2655308cce4093e017789d74172b43bb

SHA1
9148cbe1399fc9c50b31a7119c22534f8a96d53b

SHA256
f31b3016da0ddf36527355537ebcd08a9c5111d1156b565dffdac908e3d6a580

SHA512
b007776d55b21f7760ba43836ae2f3a0005ded5a1bdfb548929f78d6b0098ae9af3272434e68ac43b809e065dc65ac67518e71beba298579282460ae6f64757c

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe

Filesize
1.2MB

MD5
bff2263b0b41b32f514684772592fdd8

SHA1
75bb2ed2b5ba97d53c2bf580e322dd61a09bf2dc

SHA256
e76de9d64db405175cdf3d256830486d552fc65b6e5955592a6a3f3c22f38684

SHA512
2aca7e63639e0d452f26d46f3269fc82c904ae2aac3ca09a964a79821fc2734bef4331d703a6d274dd9df6e4bb0e5f209cd8fcd34c8d1ea676c905d054dd411a

Download Submit
\PROGRA~2\INTERN~1\ieinstal.exe

Filesize
483KB

MD5
b4089c46227662203972ee144d6188b0

SHA1
89eab75177ff01bb15a213ddb282ed6d93a7defe

SHA256
97901d3df4a406170b3f6bf2b1845df42c97f043464cccbcf4de9e97c722cd3d

SHA512
4ada69dad1fac0247cd6a56a1bec9ed000d07a8dfd647791ce2c898d96a2929f235b96746a8b8733541dbf0ac2df86e8c30f80287f5a9120bca772f23ec64300

Download Submit
\PROGRA~2\INTERN~1\ielowutil.exe

Filesize
244KB

MD5
2163967c4dd5357ce8c1be71a65a60cf

SHA1
cd76f7f93fecd6b315fe771fe8abc93c7aea99a8

SHA256
197fb95a613119fa8f3814597809782e2366122198099c86c07ebd0f32b62173

SHA512
87c096b90672a1ad541352a45205874678227981026eddb927687980c0e638bd9e77dcc1a82510d80dc020e981e273f730d41c4329b3d6538af5b7784036907b

Download Submit
\PROGRA~2\WI4223~1\sidebar.exe

Filesize
1.1MB

MD5
c175275d20be039b5898709681892e5c

SHA1
bca33286c4ac96dd559a17130c3f2f96d3946a69

SHA256
75a88b47cea32d6214522e9f981b737e57bb73a568e6488b6825daeb05621e9b

SHA512
41dd1f071a7d60eb62a42b270b0f97a230efc08d74f9637b3fc03877ce9769b2f8c30c99da99d8471332dadcafcec1e8a288aea85ed30e1375c9f7c95be0aacb

Download Submit
\PROGRA~2\WI54FB~1\WMPDMC.exe

Filesize
986KB

MD5
3e49ca0c5fec958c10f9b6689637de81

SHA1
69d6267eb6c77a7d10ac03b336aae38481648f6a

SHA256
6bcd9c0430d94dfcaed483d5ba175af7de1576d5d4a93e31ae7b8e31ece1b6c4

SHA512
25ebd912545a2de8423328e846540a21ea0c759b73532cd0945a78814faa806cc4edc125a92be3f67892098d66dd34f26f7ec4d451690616cb99f33773333639

Download Submit
\PROGRA~2\WI54FB~1\setup_wm.exe

Filesize
1.9MB

MD5
3bae0d6ebc5ed70c00be179f93230728

SHA1
3205fadc32fc521dea6f2fee1a419d3699ae78bd

SHA256
5466fba9f3b14ae859926722a58a28e3f5a22d324313bec1099c53fda1c81138

SHA512
86c3e7dc24b2ac6a9581c1124b2064cb38dc662653c4fe8312c001bf82117c6b80535a95339f7c004495faf8fac190e7902deae0e77a08f822d1792d69555108

Download Submit
\PROGRA~2\WI54FB~1\wmlaunch.exe

Filesize
249KB

MD5
b33784ebed7224a5d20dd78cb5c1b334

SHA1
c35febce7c7fe827b8612fa41af2877a68adaea4

SHA256
276cdd8cb01c392ff915bf60c69304f1c4ddfc12564f4251187865d786d7cade

SHA512
84bab440b707fdf61cf3672f8c9c1e1b012d51904b8c71d8ed00c50baade6426b04e348467e60830f1a70653fcab7d497b7732ccb108c70f9d875c4570a49b90

Download Submit
\PROGRA~2\WI54FB~1\wmpconfig.exe

Filesize
126KB

MD5
26ce997c798edd868c002f59a7ff3950

SHA1
b83a9d9cb58ec0e37aef8f6966521cc9fb631cad

SHA256
dd422058c04aba7bfe2ad7ce3fbd8db03b134baf3af23aa6ff23168774cc374a

SHA512
41cc2dd1d6eb34738f7924509420b52da91cbbba72fb2437905d983e36cc01a1213865807ca04441410bb4733281b8e5d1b5c961e032eadbf4d2b5d57d72b75f

Download Submit
\PROGRA~2\WI54FB~1\wmplayer.exe

Filesize
187KB

MD5
87c5b1cb9373252296d38eda82f1690f

SHA1
ca40dcd58bc13dba07330ab8fa2f411d8699691a

SHA256
30c865802861138cd7ed5d6884f568b4996dad695df6a7e613b98f046c7bb202

SHA512
657615a205064738720ee96d18f9a6e76abaedfd89b5c24f52770c3472f118a2870e85074fbedb382b15799595f16103f695c6c42b17d1a1ff2720ea078ef0c1

Download Submit
\PROGRA~2\WI54FB~1\wmprph.exe

Filesize
88KB

MD5
1ff5d6e00fa53b72afe79d597afe5ae8

SHA1
d3f85353050892f8b38cea894a30d6d7ea7397f8

SHA256
c89ba22998441ce79b1ada9d5d88bb99252fb14d221ab31632815f38ced7baf9

SHA512
8702f492fd8d1535cfff7f2b628e022f02478a846aa78eda00a23bb06f8c66652ac47c9033deaeed5e05e5766e5cb9efa1be1435cb70b4253af06e629e6c37d7

Download Submit
\PROGRA~2\WI54FB~1\wmpshare.exe

Filesize
126KB

MD5
a92ecdfab65f41a7b4f9d8178b23d147

SHA1
8742e3c43d1d394925732fad810a79f59687f68f

SHA256
13c4a3bb91ede4b75c7311660c01ecf16a07ec23c115a35b71b55b680d68097a

SHA512
a18d504c8abfabc1c151631ce3cadf577fbca859dfb7007d79fa1881faea2778fdbd486b48f2a1841341f91b44b3663d2cac4d46413f96f61a98a7f70df298b9

Download Submit
\PROGRA~2\WINDOW~1\WinMail.exe

Filesize
414KB

MD5
76586e421805fd2bd6f74a464ca24f4d

SHA1
5a136b5921599e7dc07a2e47a4d15f60754fd3c9

SHA256
c28f88985f84e25e0388e76f1816f0378342b7894450da88bef2e90f75790c48

SHA512
1905a792ce1de7d443f103f182c43b99bab2b5c97ccd8bd0caeceb5c0cd002e0e791ce40e1cdc3092244aa862836eea1857040a543d0b1db781f4128e757674d

Download Submit
\PROGRA~2\WINDOW~1\wab.exe

Filesize
530KB

MD5
34adccb2c2640e77219785eadc9c08b7

SHA1
251d253d90cf605480d734f5331ef9f26a111b14

SHA256
4dbff4dcfd5fa53c99c1c4e9bd9e64b2e0f608133cb79698af839c157c27ef40

SHA512
563c8dfc5ed6ce2ed7bbb583eb51f9e164e519752030647e0bbd77c0fe1f5407609bdbcf947759307cc94ab57f8498415e39fd0ac138333286752e6a0ce921e8

Download Submit
\PROGRA~2\WINDOW~1\wabmig.exe

Filesize
90KB

MD5
b106d580dad64f540a7c43dd5918f1d7

SHA1
e6ea7d1100efa5f227f30143024ad46466702831

SHA256
370883929edcdf61c6f63a73e9942a1111638fac3079d70588db86927b96fcda

SHA512
8f569262a0eca84b244b1087f0e75cf10d31f12fa89681bb6fda0a80bfd5de8db93a1cf2851dbe2e25ae5531c08df7ea51c5b25ecbaa2f9685fe3ad229701b51

Download Submit
\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe

Filesize
4.1MB

MD5
1baa406d29ee0754012f07c6283100dc

SHA1
657d91d65ba82f2da1d31b60301826820287aa93

SHA256
3dfe640f0a1b8ef1a8320d369111a287a367f8f7514c349a15b1353ea236c5a0

SHA512
9615a1f8b82787d48a480a5815ec9925bd4d5d18b9a9ed8e1f43af2ec8e81e22c8f7b91623db2c4a558b8d5df6c634a7de26eff30c004566ec11d2ec3712460b

Download Submit
\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
memory/2020-17-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/2020-8-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/2020-14-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2020-13-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2036-92-0x0000000002A00000-0x0000000002A1A000-memory.dmp

Filesize
104KB

Download
memory/2036-7-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-25-0x0000000002D50000-0x0000000002D97000-memory.dmp

Filesize
284KB

Download
memory/2036-96-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2036-97-0x0000000002D50000-0x0000000002F46000-memory.dmp

Filesize
2.0MB

Download
memory/2036-90-0x0000000002D50000-0x0000000002DD7000-memory.dmp

Filesize
540KB

Download
memory/2036-99-0x0000000002D50000-0x0000000002D92000-memory.dmp

Filesize
264KB

Download
memory/2036-59-0x0000000002D50000-0x0000000002D90000-memory.dmp

Filesize
256KB

Download
memory/2036-101-0x0000000002D50000-0x0000000002D73000-memory.dmp

Filesize
140KB

Download
memory/2036-15-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2036-103-0x0000000002D50000-0x0000000002E4C000-memory.dmp

Filesize
1008KB

Download
memory/2036-16-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2036-105-0x0000000002D50000-0x0000000002D83000-memory.dmp

Filesize
204KB

Download
memory/2036-57-0x0000000002D50000-0x0000000002DCD000-memory.dmp

Filesize
500KB

Download
memory/2036-107-0x0000000002A00000-0x0000000002A19000-memory.dmp

Filesize
100KB

Download
memory/2036-36-0x0000000002D50000-0x0000000002DA9000-memory.dmp

Filesize
356KB

Download
memory/2036-109-0x0000000002D50000-0x0000000002D74000-memory.dmp

Filesize
144KB

Download
memory/2036-18-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2036-112-0x0000000002D50000-0x0000000003166000-memory.dmp

Filesize
4.1MB

Download
memory/2036-94-0x0000000002D50000-0x0000000002DBB000-memory.dmp

Filesize
428KB

Download
memory/2036-114-0x0000000002D50000-0x0000000002E7A000-memory.dmp

Filesize
1.2MB

Download
memory/2036-34-0x0000000002D50000-0x0000000002E85000-memory.dmp

Filesize
1.2MB

Download
memory/2036-252-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-260-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-275-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-283-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-316-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-324-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-348-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-339-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-332-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-356-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-364-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-380-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-379-0x0000000002A00000-0x0000000002A14000-memory.dmp

Filesize
80KB

Download
memory/2036-513-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-515-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-516-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download