Analysis
-
max time kernel
96s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2025 03:19
Behavioral task
behavioral1
Sample
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Resource
win7-20241010-en
windows7-x64
26 signatures
150 seconds
General
-
Target
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
-
Size
2.5MB
-
MD5
7d34fda9c89105cfd5c99260061b0642
-
SHA1
b0249486724a6777cec133bb3818900378fec31c
-
SHA256
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060
-
SHA512
574aca7696402594c44180f24352b7ce5258a58879ac7a795bac0f4a5c3b73f15fcba7f6b04c7119b15107dffec076ab25dfc95d3630e1c7e5301c492667b7b1
-
SSDEEP
49152:crenjNJBfl7UGDxNug/EQ85aaKAdtl0Wf+:0eD7XV+9asT+
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 7 IoCs
resource yara_rule behavioral2/memory/1804-0-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/files/0x0008000000023caf-10.dat family_neshta behavioral2/memory/1804-123-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1804-131-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1804-150-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1804-174-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1804-201-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Executes dropped EXE 1 IoCs
pid Process 848 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
resource yara_rule behavioral2/memory/1804-4-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-1-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-15-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-5-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-3-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-19-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-18-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-16-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-20-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-22-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-115-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-116-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-121-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-122-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-126-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-127-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-130-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-132-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-133-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-139-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-140-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-144-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-145-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-147-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-148-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-149-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-153-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-154-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-157-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-158-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-160-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-167-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-166-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-170-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-171-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-175-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-176-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-177-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/1804-202-0x0000000002310000-0x000000000339E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\Windows\svchost.com 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 800 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 9 PID 1804 wrote to memory of 804 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 10 PID 1804 wrote to memory of 400 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 13 PID 1804 wrote to memory of 2852 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 49 PID 1804 wrote to memory of 2892 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 50 PID 1804 wrote to memory of 2880 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 52 PID 1804 wrote to memory of 3472 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 56 PID 1804 wrote to memory of 3632 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 57 PID 1804 wrote to memory of 3832 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 58 PID 1804 wrote to memory of 3916 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 59 PID 1804 wrote to memory of 3988 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 60 PID 1804 wrote to memory of 4088 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 61 PID 1804 wrote to memory of 4180 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 62 PID 1804 wrote to memory of 2140 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 75 PID 1804 wrote to memory of 3468 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 76 PID 1804 wrote to memory of 848 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 82 PID 1804 wrote to memory of 848 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 82 PID 1804 wrote to memory of 848 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 82 PID 1804 wrote to memory of 800 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 9 PID 1804 wrote to memory of 804 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 10 PID 1804 wrote to memory of 400 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 13 PID 1804 wrote to memory of 2852 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 49 PID 1804 wrote to memory of 2892 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 50 PID 1804 wrote to memory of 2880 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 52 PID 1804 wrote to memory of 3472 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 56 PID 1804 wrote to memory of 3632 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 57 PID 1804 wrote to memory of 3832 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 58 PID 1804 wrote to memory of 3916 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 59 PID 1804 wrote to memory of 3988 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 60 PID 1804 wrote to memory of 4088 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 61 PID 1804 wrote to memory of 4180 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 62 PID 1804 wrote to memory of 2140 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 75 PID 1804 wrote to memory of 3468 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 76 PID 1804 wrote to memory of 848 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 82 PID 1804 wrote to memory of 848 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 82 PID 1804 wrote to memory of 2408 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 83 PID 1804 wrote to memory of 800 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 9 PID 1804 wrote to memory of 804 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 10 PID 1804 wrote to memory of 400 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 13 PID 1804 wrote to memory of 2852 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 49 PID 1804 wrote to memory of 2892 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 50 PID 1804 wrote to memory of 2880 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 52 PID 1804 wrote to memory of 3472 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 56 PID 1804 wrote to memory of 3632 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 57 PID 1804 wrote to memory of 3832 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 58 PID 1804 wrote to memory of 3916 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 59 PID 1804 wrote to memory of 3988 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 60 PID 1804 wrote to memory of 4088 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 61 PID 1804 wrote to memory of 4180 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 62 PID 1804 wrote to memory of 2140 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 75 PID 1804 wrote to memory of 3468 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 76 PID 1804 wrote to memory of 800 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 9 PID 1804 wrote to memory of 804 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 10 PID 1804 wrote to memory of 400 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 13 PID 1804 wrote to memory of 2852 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 49 PID 1804 wrote to memory of 2892 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 50 PID 1804 wrote to memory of 2880 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 52 PID 1804 wrote to memory of 3472 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 56 PID 1804 wrote to memory of 3632 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 57 PID 1804 wrote to memory of 3832 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 58 PID 1804 wrote to memory of 3916 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 59 PID 1804 wrote to memory of 3988 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 60 PID 1804 wrote to memory of 4088 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 61 PID 1804 wrote to memory of 4180 1804 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 62 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:400
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2880
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"C:\Users\Admin\AppData\Local\Temp\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2408
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3468
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E579896_Rar\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Filesize2.4MB
MD538de3be9b742e3cf956a38368ef47971
SHA148b59b6940cd7c8be80377677d0a882e3cb80a5c
SHA25629b2dbc59ee8e6960353e5f5b405df41d8f617d71fd134136b340c1636276faf
SHA512b5c535a738989a0b52e81b6233e6ffea3559a2b4859d26c33adf212ff64408ef19603986421d44ef8a2f5553437c9799509988fd0d7d21e3a57941487cc18f9b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Filesize2.3MB
MD5108b16788e195e9f7b6cbabda9204068
SHA1d1118f08a1eddf94b80ad07e37c869522d2d56d0
SHA2569f8fabe5f9904c8a6952cb0977a0c192e6ff30a795f69c8bd5d976658729e338
SHA512b14cc268c7538e1bc50e1d830eba8fd09f14ef3185a6cc0b56af3ed8b2d3f465517cef3075c0a9c576c61ed6e59b8aa408e741d620cd0fdd62b85108213eedef