Analysis
-
max time kernel
205s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 17:57
Behavioral task
behavioral1
Sample
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
Resource
win10v2004-20220901-en
General
-
Target
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
-
Size
139KB
-
MD5
64aebb107c9f048db1727e56c8867227
-
SHA1
be1bb928053cc85760c02c1d42f9b7ad55976382
-
SHA256
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4
-
SHA512
78b5f3bda710d7d3c721a075c92744ed17de1109bfae1fe229aedf62a1e90a54c689d9933c93f4a351b48a0cfa05a569a6da2deeaae1dfd4d0edad268bdcf3a7
-
SSDEEP
1536:JxqjQ+P04wsmJC+EAd7qIYM2d8vZuX21rVrbsMe2ZOyDOxqjQ+P04wsmJC:sr85C+EA1Dm8vosrbZOyLr85C
Malware Config
Signatures
-
Detect Neshta payload 50 IoCs
resource yara_rule behavioral1/files/0x000a000000012308-55.dat family_neshta behavioral1/files/0x000a000000012308-58.dat family_neshta behavioral1/files/0x000a000000012308-56.dat family_neshta behavioral1/files/0x000a000000012308-60.dat family_neshta behavioral1/files/0x000a000000012308-61.dat family_neshta behavioral1/files/0x000800000001231a-62.dat family_neshta behavioral1/files/0x000800000001231a-64.dat family_neshta behavioral1/files/0x0001000000010638-65.dat family_neshta behavioral1/files/0x000a000000012308-67.dat family_neshta behavioral1/files/0x000a000000012308-68.dat family_neshta behavioral1/files/0x000a000000012308-70.dat family_neshta behavioral1/files/0x000a000000012308-72.dat family_neshta behavioral1/files/0x000800000001231a-74.dat family_neshta behavioral1/files/0x000a000000012308-78.dat family_neshta behavioral1/files/0x000a000000012308-79.dat family_neshta behavioral1/files/0x000a000000012308-81.dat family_neshta behavioral1/files/0x000a000000012308-83.dat family_neshta behavioral1/files/0x000800000001231a-85.dat family_neshta behavioral1/files/0x000a000000012308-89.dat family_neshta behavioral1/files/0x000a000000012308-90.dat family_neshta behavioral1/files/0x000a000000012308-92.dat family_neshta behavioral1/files/0x0001000000010323-95.dat family_neshta behavioral1/files/0x0001000000010321-94.dat family_neshta behavioral1/files/0x000100000001062c-93.dat family_neshta behavioral1/files/0x000a000000012308-97.dat family_neshta behavioral1/files/0x000800000001231a-100.dat family_neshta behavioral1/files/0x000a000000012308-103.dat family_neshta behavioral1/files/0x000a000000012308-104.dat family_neshta behavioral1/files/0x000a000000012308-106.dat family_neshta behavioral1/files/0x000a000000012308-108.dat family_neshta behavioral1/files/0x000800000001231a-111.dat family_neshta behavioral1/files/0x000a000000012308-114.dat family_neshta behavioral1/files/0x000a000000012308-115.dat family_neshta behavioral1/files/0x000a000000012308-117.dat family_neshta behavioral1/files/0x000a000000012308-119.dat family_neshta behavioral1/files/0x000800000001231a-121.dat family_neshta behavioral1/files/0x000a000000012308-125.dat family_neshta behavioral1/files/0x000a000000012308-126.dat family_neshta behavioral1/files/0x000a000000012308-128.dat family_neshta behavioral1/files/0x000a000000012308-130.dat family_neshta behavioral1/files/0x000800000001231a-132.dat family_neshta behavioral1/files/0x000a000000012308-136.dat family_neshta behavioral1/files/0x000a000000012308-137.dat family_neshta behavioral1/files/0x000a000000012308-139.dat family_neshta behavioral1/files/0x000a000000012308-141.dat family_neshta behavioral1/files/0x000800000001231a-143.dat family_neshta behavioral1/files/0x000a000000012308-147.dat family_neshta behavioral1/files/0x000a000000012308-148.dat family_neshta behavioral1/files/0x000a000000012308-150.dat family_neshta behavioral1/files/0x000a000000012308-152.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1692 svchost.com 1832 DF13CA~1.EXE 468 svchost.com 1812 DF13CA~1.EXE 316 svchost.com 1840 DF13CA~1.EXE 1552 svchost.com 1252 DF13CA~1.EXE 1052 svchost.com 296 DF13CA~1.EXE 1496 svchost.com 1616 DF13CA~1.EXE 816 svchost.com 1672 DF13CA~1.EXE 1312 svchost.com 1380 DF13CA~1.EXE 1428 svchost.com 1832 DF13CA~1.EXE 1916 svchost.com 1624 DF13CA~1.EXE 1812 svchost.com 788 DF13CA~1.EXE 1132 svchost.com 1548 DF13CA~1.EXE 268 svchost.com 748 DF13CA~1.EXE 1308 svchost.com 1252 DF13CA~1.EXE 1944 svchost.com 1384 DF13CA~1.EXE 1500 svchost.com 1752 DF13CA~1.EXE 1496 svchost.com 1616 DF13CA~1.EXE 1600 svchost.com 1608 DF13CA~1.EXE 1412 svchost.com 1268 DF13CA~1.EXE 1816 svchost.com 1336 DF13CA~1.EXE 664 svchost.com 648 DF13CA~1.EXE 752 svchost.com 300 DF13CA~1.EXE 636 svchost.com 1544 DF13CA~1.EXE 1264 svchost.com 1840 DF13CA~1.EXE 1736 svchost.com 1772 DF13CA~1.EXE 1684 svchost.com 1636 DF13CA~1.EXE 1516 svchost.com 1112 DF13CA~1.EXE 552 svchost.com 1028 DF13CA~1.EXE 1792 svchost.com 1496 DF13CA~1.EXE 2016 svchost.com 1600 DF13CA~1.EXE 1820 svchost.com 1412 DF13CA~1.EXE 556 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1692 svchost.com 1692 svchost.com 1832 DF13CA~1.EXE 468 svchost.com 468 svchost.com 1812 DF13CA~1.EXE 316 svchost.com 316 svchost.com 1840 DF13CA~1.EXE 1552 svchost.com 1552 svchost.com 1252 DF13CA~1.EXE 1052 svchost.com 1052 svchost.com 296 DF13CA~1.EXE 1496 svchost.com 1496 svchost.com 1616 DF13CA~1.EXE 816 svchost.com 816 svchost.com 1672 DF13CA~1.EXE 1312 svchost.com 1312 svchost.com 1380 DF13CA~1.EXE 1428 svchost.com 1428 svchost.com 1832 DF13CA~1.EXE 1916 svchost.com 1916 svchost.com 1624 DF13CA~1.EXE 1812 svchost.com 1812 svchost.com 788 DF13CA~1.EXE 1132 svchost.com 1132 svchost.com 1548 DF13CA~1.EXE 268 svchost.com 268 svchost.com 748 DF13CA~1.EXE 1308 svchost.com 1308 svchost.com 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1252 DF13CA~1.EXE 1944 svchost.com 1944 svchost.com 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1384 DF13CA~1.EXE 1500 svchost.com 1500 svchost.com 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1752 DF13CA~1.EXE 1496 svchost.com 1496 svchost.com 1616 DF13CA~1.EXE 1600 svchost.com 1600 svchost.com 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 1608 DF13CA~1.EXE 1412 svchost.com 1412 svchost.com 1268 DF13CA~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1524 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 28 PID 1732 wrote to memory of 1524 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 28 PID 1732 wrote to memory of 1524 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 28 PID 1732 wrote to memory of 1524 1732 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 28 PID 1524 wrote to memory of 1692 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 29 PID 1524 wrote to memory of 1692 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 29 PID 1524 wrote to memory of 1692 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 29 PID 1524 wrote to memory of 1692 1524 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 29 PID 1692 wrote to memory of 1832 1692 svchost.com 30 PID 1692 wrote to memory of 1832 1692 svchost.com 30 PID 1692 wrote to memory of 1832 1692 svchost.com 30 PID 1692 wrote to memory of 1832 1692 svchost.com 30 PID 1832 wrote to memory of 468 1832 DF13CA~1.EXE 31 PID 1832 wrote to memory of 468 1832 DF13CA~1.EXE 31 PID 1832 wrote to memory of 468 1832 DF13CA~1.EXE 31 PID 1832 wrote to memory of 468 1832 DF13CA~1.EXE 31 PID 468 wrote to memory of 1812 468 svchost.com 32 PID 468 wrote to memory of 1812 468 svchost.com 32 PID 468 wrote to memory of 1812 468 svchost.com 32 PID 468 wrote to memory of 1812 468 svchost.com 32 PID 1812 wrote to memory of 316 1812 DF13CA~1.EXE 33 PID 1812 wrote to memory of 316 1812 DF13CA~1.EXE 33 PID 1812 wrote to memory of 316 1812 DF13CA~1.EXE 33 PID 1812 wrote to memory of 316 1812 DF13CA~1.EXE 33 PID 316 wrote to memory of 1840 316 svchost.com 34 PID 316 wrote to memory of 1840 316 svchost.com 34 PID 316 wrote to memory of 1840 316 svchost.com 34 PID 316 wrote to memory of 1840 316 svchost.com 34 PID 1840 wrote to memory of 1552 1840 DF13CA~1.EXE 35 PID 1840 wrote to memory of 1552 1840 DF13CA~1.EXE 35 PID 1840 wrote to memory of 1552 1840 DF13CA~1.EXE 35 PID 1840 wrote to memory of 1552 1840 DF13CA~1.EXE 35 PID 1552 wrote to memory of 1252 1552 svchost.com 36 PID 1552 wrote to memory of 1252 1552 svchost.com 36 PID 1552 wrote to memory of 1252 1552 svchost.com 36 PID 1552 wrote to memory of 1252 1552 svchost.com 36 PID 1252 wrote to memory of 1052 1252 DF13CA~1.EXE 37 PID 1252 wrote to memory of 1052 1252 DF13CA~1.EXE 37 PID 1252 wrote to memory of 1052 1252 DF13CA~1.EXE 37 PID 1252 wrote to memory of 1052 1252 DF13CA~1.EXE 37 PID 1052 wrote to memory of 296 1052 svchost.com 38 PID 1052 wrote to memory of 296 1052 svchost.com 38 PID 1052 wrote to memory of 296 1052 svchost.com 38 PID 1052 wrote to memory of 296 1052 svchost.com 38 PID 296 wrote to memory of 1496 296 DF13CA~1.EXE 39 PID 296 wrote to memory of 1496 296 DF13CA~1.EXE 39 PID 296 wrote to memory of 1496 296 DF13CA~1.EXE 39 PID 296 wrote to memory of 1496 296 DF13CA~1.EXE 39 PID 1496 wrote to memory of 1616 1496 svchost.com 40 PID 1496 wrote to memory of 1616 1496 svchost.com 40 PID 1496 wrote to memory of 1616 1496 svchost.com 40 PID 1496 wrote to memory of 1616 1496 svchost.com 40 PID 1616 wrote to memory of 816 1616 DF13CA~1.EXE 41 PID 1616 wrote to memory of 816 1616 DF13CA~1.EXE 41 PID 1616 wrote to memory of 816 1616 DF13CA~1.EXE 41 PID 1616 wrote to memory of 816 1616 DF13CA~1.EXE 41 PID 816 wrote to memory of 1672 816 svchost.com 42 PID 816 wrote to memory of 1672 816 svchost.com 42 PID 816 wrote to memory of 1672 816 svchost.com 42 PID 816 wrote to memory of 1672 816 svchost.com 42 PID 1672 wrote to memory of 1312 1672 DF13CA~1.EXE 43 PID 1672 wrote to memory of 1312 1672 DF13CA~1.EXE 43 PID 1672 wrote to memory of 1312 1672 DF13CA~1.EXE 43 PID 1672 wrote to memory of 1312 1672 DF13CA~1.EXE 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"C:\Users\Admin\AppData\Local\Temp\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"41⤵
- Executes dropped EXE
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE42⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"43⤵
- Executes dropped EXE
PID:664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE44⤵
- Executes dropped EXE
PID:648 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"45⤵
- Executes dropped EXE
PID:752 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE46⤵
- Executes dropped EXE
PID:300 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"47⤵
- Executes dropped EXE
PID:636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE48⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"49⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE50⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE52⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"53⤵
- Executes dropped EXE
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE54⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"55⤵
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE56⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE58⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"59⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE60⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"61⤵
- Executes dropped EXE
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE62⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"63⤵
- Executes dropped EXE
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE64⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"65⤵
- Executes dropped EXE
PID:556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE66⤵PID:1816
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"67⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE68⤵PID:784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"69⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE70⤵PID:1144
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"71⤵
- Drops file in Windows directory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE72⤵PID:536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"73⤵PID:276
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE74⤵PID:1544
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"75⤵PID:360
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE76⤵PID:880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"77⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE78⤵PID:1736
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"79⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE80⤵PID:1556
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"81⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE82⤵PID:1384
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"83⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE84⤵PID:1952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"85⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE86⤵PID:876
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"87⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE88⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"89⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE90⤵PID:1852
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"91⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE92⤵PID:1312
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"93⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE94⤵PID:1948
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"95⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE96⤵PID:1832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"97⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE98⤵PID:1860
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"99⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE100⤵PID:672
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"101⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE102⤵PID:536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"103⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE104⤵PID:1264
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"105⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE106⤵PID:880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"107⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE108⤵PID:304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"109⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE110⤵PID:1520
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"111⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE112⤵PID:2008
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"113⤵PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE66⤵PID:1688
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"67⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE68⤵PID:1164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"69⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE70⤵PID:1832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"71⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE72⤵PID:324
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"73⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE74⤵PID:1760
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"75⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE76⤵PID:268
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"77⤵PID:360
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE78⤵PID:1772
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"79⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE80⤵PID:592
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"81⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE82⤵PID:1684
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"83⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE84⤵PID:1516
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"85⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE86⤵PID:1752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"87⤵
- Drops file in Windows directory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE88⤵PID:1168
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"89⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE90⤵PID:1604
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"91⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE92⤵PID:816
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"93⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE94⤵PID:1748
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"95⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE96⤵PID:1688
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"97⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE98⤵PID:1164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"99⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE100⤵PID:784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"101⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE102⤵PID:1144
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"103⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE104⤵PID:1544
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"105⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE106⤵PID:1264
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"107⤵PID:360
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE108⤵PID:1772
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"109⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE110⤵PID:304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"111⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE112⤵PID:748
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"113⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE114⤵PID:1052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"115⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE116⤵PID:1292
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"117⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE118⤵
- Drops file in Windows directory
PID:1712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"119⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE120⤵PID:952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"121⤵
- Drops file in Windows directory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE122⤵PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-