Analysis
-
max time kernel
85s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:27
Static task
static1
Behavioral task
behavioral1
Sample
3c486c0379adb13b1681348c6d6320c5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3c486c0379adb13b1681348c6d6320c5.exe
Resource
win10v2004-20220812-en
General
-
Target
3c486c0379adb13b1681348c6d6320c5.exe
-
Size
583KB
-
MD5
3c486c0379adb13b1681348c6d6320c5
-
SHA1
04d7990377aa80f4ae8eff03755ce355fabdbc38
-
SHA256
b337ab8ee2fddfd12f279affb5f88c35bdc195d62c2d6bd4343b567a22f5d04f
-
SHA512
57d78f4753dc087b7b03f032840751b36baab2337c27b60090c927be28b2f805f74f635491dc4fd25dd47746f00610ace50d77bb635bcd163370ab8d290b5050
-
SSDEEP
12288:jadDbBU0mhLjrl7RvL8GIapZLv4foexa+ega+ega+en:ja1WzvoraPaa+3a+3a+c
Malware Config
Signatures
-
Detect Neshta payload 39 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Windows\svchost.com family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
3c486c0379adb13b1681348c6d6320c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3c486c0379adb13b1681348c6d6320c5.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
Processes:
svchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEpid process 948 svchost.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1436 svchost.exe 1272 3c486c0379adb13b1681348c6d6320c5.exe 1680 svchost.exe 1972 3c486c0379adb13b1681348c6d6320c5.exe 840 svchost.com 1632 3C486C~1.EXE 1252 svchost.com 1508 3C486C~1.EXE 432 svchost.com 2008 3C486C~1.EXE 1980 svchost.com 808 3C486C~1.EXE 1344 svchost.com 1028 3C486C~1.EXE 900 svchost.com 868 3C486C~1.EXE 1932 svchost.com 1848 3C486C~1.EXE 1244 svchost.com 1304 3C486C~1.EXE 1488 svchost.com 1696 3C486C~1.EXE 1588 svchost.com 1760 3C486C~1.EXE 1776 svchost.com 2032 3C486C~1.EXE 1804 svchost.com 1808 3C486C~1.EXE 1484 svchost.com 1508 3C486C~1.EXE 1948 svchost.com 544 3C486C~1.EXE 1564 svchost.com 616 3C486C~1.EXE 680 svchost.com 976 3C486C~1.EXE 1596 svchost.com 1600 3C486C~1.EXE 1544 svchost.com 1516 3C486C~1.EXE 1940 svchost.com 1256 3C486C~1.EXE 1864 svchost.com 1932 3C486C~1.EXE 1248 svchost.com 1244 3C486C~1.EXE 1120 svchost.com 1488 3C486C~1.EXE 2028 svchost.com 2044 3C486C~1.EXE 1632 svchost.com 1608 3C486C~1.EXE 624 svchost.com 1260 3C486C~1.EXE 1956 svchost.com 1368 3C486C~1.EXE 968 svchost.com 1952 3C486C~1.EXE 2020 svchost.com 1988 3C486C~1.EXE 1520 svchost.com 1548 3C486C~1.EXE -
Processes:
resource yara_rule behavioral1/memory/2008-1034-0x00000000003A0000-0x00000000003C9000-memory.dmp upx behavioral1/memory/2000-1037-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Loads dropped DLL 64 IoCs
Processes:
svchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.compid process 948 svchost.exe 948 svchost.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1680 svchost.exe 1680 svchost.exe 1972 3c486c0379adb13b1681348c6d6320c5.exe 1972 3c486c0379adb13b1681348c6d6320c5.exe 840 svchost.com 840 svchost.com 1252 svchost.com 1252 svchost.com 432 svchost.com 432 svchost.com 1980 svchost.com 1980 svchost.com 1344 svchost.com 1344 svchost.com 900 svchost.com 900 svchost.com 1932 svchost.com 1932 svchost.com 1244 svchost.com 1244 svchost.com 1488 svchost.com 1488 svchost.com 1588 svchost.com 1588 svchost.com 1776 svchost.com 1776 svchost.com 1804 svchost.com 1804 svchost.com 1972 3c486c0379adb13b1681348c6d6320c5.exe 1812 3c486c0379adb13b1681348c6d6320c5.exe 1484 svchost.com 1484 svchost.com 1948 svchost.com 1948 svchost.com 1564 svchost.com 1564 svchost.com 1812 3c486c0379adb13b1681348c6d6320c5.exe 680 svchost.com 680 svchost.com 1596 svchost.com 1596 svchost.com 1544 svchost.com 1544 svchost.com 1940 svchost.com 1940 svchost.com 1864 svchost.com 1864 svchost.com 1972 3c486c0379adb13b1681348c6d6320c5.exe 1248 svchost.com 1248 svchost.com 1120 svchost.com 1120 svchost.com 2028 svchost.com 2028 svchost.com 1632 svchost.com 1632 svchost.com 624 svchost.com 624 svchost.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
3c486c0379adb13b1681348c6d6320c5.exe3c486c0379adb13b1681348c6d6320c5.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 3c486c0379adb13b1681348c6d6320c5.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 3c486c0379adb13b1681348c6d6320c5.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.comsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.comsvchost.com3C486C~1.EXEsvchost.comsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXE3C486C~1.EXE3C486C~1.EXE3C486C~1.EXE3C486C~1.EXEsvchost.comsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXE3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.comsvchost.comsvchost.com3C486C~1.EXE3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.comsvchost.comsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXEsvchost.com3C486C~1.EXE3C486C~1.EXEdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com 3C486C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C486C~1.EXE File opened for modification C:\Windows\directx.sys 3C486C~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3c486c0379adb13b1681348c6d6320c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3c486c0379adb13b1681348c6d6320c5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3c486c0379adb13b1681348c6d6320c5.exesvchost.exe3c486c0379adb13b1681348c6d6320c5.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.exe3c486c0379adb13b1681348c6d6320c5.exesvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEsvchost.com3C486C~1.EXEdescription pid process target process PID 756 wrote to memory of 948 756 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 756 wrote to memory of 948 756 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 756 wrote to memory of 948 756 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 756 wrote to memory of 948 756 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 948 wrote to memory of 1812 948 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 948 wrote to memory of 1812 948 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 948 wrote to memory of 1812 948 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 948 wrote to memory of 1812 948 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1812 wrote to memory of 1272 1812 3c486c0379adb13b1681348c6d6320c5.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1812 wrote to memory of 1272 1812 3c486c0379adb13b1681348c6d6320c5.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1812 wrote to memory of 1272 1812 3c486c0379adb13b1681348c6d6320c5.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1812 wrote to memory of 1272 1812 3c486c0379adb13b1681348c6d6320c5.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1272 wrote to memory of 1680 1272 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 1272 wrote to memory of 1680 1272 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 1272 wrote to memory of 1680 1272 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 1272 wrote to memory of 1680 1272 3c486c0379adb13b1681348c6d6320c5.exe svchost.exe PID 1680 wrote to memory of 1972 1680 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1680 wrote to memory of 1972 1680 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1680 wrote to memory of 1972 1680 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1680 wrote to memory of 1972 1680 svchost.exe 3c486c0379adb13b1681348c6d6320c5.exe PID 1972 wrote to memory of 840 1972 3c486c0379adb13b1681348c6d6320c5.exe svchost.com PID 1972 wrote to memory of 840 1972 3c486c0379adb13b1681348c6d6320c5.exe svchost.com PID 1972 wrote to memory of 840 1972 3c486c0379adb13b1681348c6d6320c5.exe svchost.com PID 1972 wrote to memory of 840 1972 3c486c0379adb13b1681348c6d6320c5.exe svchost.com PID 840 wrote to memory of 1632 840 svchost.com 3C486C~1.EXE PID 840 wrote to memory of 1632 840 svchost.com 3C486C~1.EXE PID 840 wrote to memory of 1632 840 svchost.com 3C486C~1.EXE PID 840 wrote to memory of 1632 840 svchost.com 3C486C~1.EXE PID 1632 wrote to memory of 1252 1632 3C486C~1.EXE svchost.com PID 1632 wrote to memory of 1252 1632 3C486C~1.EXE svchost.com PID 1632 wrote to memory of 1252 1632 3C486C~1.EXE svchost.com PID 1632 wrote to memory of 1252 1632 3C486C~1.EXE svchost.com PID 1252 wrote to memory of 1508 1252 svchost.com 3C486C~1.EXE PID 1252 wrote to memory of 1508 1252 svchost.com 3C486C~1.EXE PID 1252 wrote to memory of 1508 1252 svchost.com 3C486C~1.EXE PID 1252 wrote to memory of 1508 1252 svchost.com 3C486C~1.EXE PID 1508 wrote to memory of 432 1508 3C486C~1.EXE svchost.com PID 1508 wrote to memory of 432 1508 3C486C~1.EXE svchost.com PID 1508 wrote to memory of 432 1508 3C486C~1.EXE svchost.com PID 1508 wrote to memory of 432 1508 3C486C~1.EXE svchost.com PID 432 wrote to memory of 2008 432 svchost.com 3C486C~1.EXE PID 432 wrote to memory of 2008 432 svchost.com 3C486C~1.EXE PID 432 wrote to memory of 2008 432 svchost.com 3C486C~1.EXE PID 432 wrote to memory of 2008 432 svchost.com 3C486C~1.EXE PID 2008 wrote to memory of 1980 2008 3C486C~1.EXE svchost.com PID 2008 wrote to memory of 1980 2008 3C486C~1.EXE svchost.com PID 2008 wrote to memory of 1980 2008 3C486C~1.EXE svchost.com PID 2008 wrote to memory of 1980 2008 3C486C~1.EXE svchost.com PID 1980 wrote to memory of 808 1980 svchost.com 3C486C~1.EXE PID 1980 wrote to memory of 808 1980 svchost.com 3C486C~1.EXE PID 1980 wrote to memory of 808 1980 svchost.com 3C486C~1.EXE PID 1980 wrote to memory of 808 1980 svchost.com 3C486C~1.EXE PID 808 wrote to memory of 1344 808 3C486C~1.EXE svchost.com PID 808 wrote to memory of 1344 808 3C486C~1.EXE svchost.com PID 808 wrote to memory of 1344 808 3C486C~1.EXE svchost.com PID 808 wrote to memory of 1344 808 3C486C~1.EXE svchost.com PID 1344 wrote to memory of 1028 1344 svchost.com 3C486C~1.EXE PID 1344 wrote to memory of 1028 1344 svchost.com 3C486C~1.EXE PID 1344 wrote to memory of 1028 1344 svchost.com 3C486C~1.EXE PID 1344 wrote to memory of 1028 1344 svchost.com 3C486C~1.EXE PID 1028 wrote to memory of 900 1028 3C486C~1.EXE svchost.com PID 1028 wrote to memory of 900 1028 3C486C~1.EXE svchost.com PID 1028 wrote to memory of 900 1028 3C486C~1.EXE svchost.com PID 1028 wrote to memory of 900 1028 3C486C~1.EXE svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe"C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe"C:\Users\Admin\AppData\Local\Temp\3c486c0379adb13b1681348c6d6320c5.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\3c486c0379adb13b1681348c6d6320c5.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE18⤵
- Executes dropped EXE
PID:868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE20⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE22⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE24⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE26⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE28⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE30⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE32⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE34⤵
- Executes dropped EXE
PID:544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE36⤵
- Executes dropped EXE
PID:616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE38⤵
- Executes dropped EXE
PID:976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE42⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE44⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE46⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE48⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE50⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE52⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE54⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE56⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"57⤵
- Executes dropped EXE
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE58⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"59⤵
- Executes dropped EXE
PID:968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE60⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"61⤵
- Executes dropped EXE
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"63⤵
- Executes dropped EXE
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE64⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"65⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE66⤵PID:1936
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"67⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE68⤵PID:1984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"69⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE70⤵PID:984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"71⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE72⤵PID:1000
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"73⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE74⤵PID:1228
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"75⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE76⤵PID:1680
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"77⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE78⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"79⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE80⤵PID:1488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"81⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE82⤵PID:1588
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"83⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE84⤵PID:1136
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"85⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE86⤵PID:2016
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"87⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE88⤵PID:1148
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"89⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE90⤵PID:1080
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"91⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE92⤵PID:1856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"93⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE94⤵
- Drops file in Windows directory
PID:1944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"95⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE96⤵PID:1592
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"97⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE98⤵
- Drops file in Windows directory
PID:976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"99⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE100⤵PID:1532
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"101⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE102⤵PID:1984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"103⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE104⤵PID:1256
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"105⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE106⤵
- Drops file in Windows directory
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"107⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE108⤵PID:1248
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"109⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE110⤵PID:580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"111⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE112⤵
- Drops file in Windows directory
PID:1756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"113⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE114⤵PID:2028
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"115⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE116⤵PID:2032
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"117⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE118⤵PID:1608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"119⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE120⤵PID:2012
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE"121⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C486C~1.EXE122⤵PID:1080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-