Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 17:57
Behavioral task
behavioral1
Sample
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
Resource
win10v2004-20220901-en
General
-
Target
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe
-
Size
139KB
-
MD5
64aebb107c9f048db1727e56c8867227
-
SHA1
be1bb928053cc85760c02c1d42f9b7ad55976382
-
SHA256
df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4
-
SHA512
78b5f3bda710d7d3c721a075c92744ed17de1109bfae1fe229aedf62a1e90a54c689d9933c93f4a351b48a0cfa05a569a6da2deeaae1dfd4d0edad268bdcf3a7
-
SSDEEP
1536:JxqjQ+P04wsmJC+EAd7qIYM2d8vZuX21rVrbsMe2ZOyDOxqjQ+P04wsmJC:sr85C+EA1Dm8vosrbZOyLr85C
Malware Config
Signatures
-
Detect Neshta payload 35 IoCs
resource yara_rule behavioral2/files/0x0002000000022e69-133.dat family_neshta behavioral2/files/0x0002000000022e69-134.dat family_neshta behavioral2/files/0x000300000001e6d6-136.dat family_neshta behavioral2/files/0x000300000001e6d6-137.dat family_neshta behavioral2/files/0x0004000000009f75-138.dat family_neshta behavioral2/files/0x0002000000022e69-140.dat family_neshta behavioral2/files/0x0002000000022e69-146.dat family_neshta behavioral2/files/0x000300000001e6d6-142.dat family_neshta behavioral2/files/0x000300000001e6d6-148.dat family_neshta behavioral2/files/0x0002000000022e69-152.dat family_neshta behavioral2/files/0x000300000001e6d6-155.dat family_neshta behavioral2/files/0x0002000000022e69-158.dat family_neshta behavioral2/files/0x0002000000022e69-164.dat family_neshta behavioral2/files/0x000300000001e6d6-160.dat family_neshta behavioral2/files/0x000300000001e6d6-166.dat family_neshta behavioral2/files/0x0002000000022e69-170.dat family_neshta behavioral2/files/0x000300000001e6d6-172.dat family_neshta behavioral2/files/0x0002000000022e69-176.dat family_neshta behavioral2/files/0x000300000001e6d6-178.dat family_neshta behavioral2/files/0x0002000000022e69-182.dat family_neshta behavioral2/files/0x000300000001e6d6-185.dat family_neshta behavioral2/files/0x0002000000022e69-188.dat family_neshta behavioral2/files/0x0002000000022e69-194.dat family_neshta behavioral2/files/0x000300000001e6d6-190.dat family_neshta behavioral2/files/0x000300000001e6d6-196.dat family_neshta behavioral2/files/0x0002000000022e69-200.dat family_neshta behavioral2/files/0x000300000001e6d6-202.dat family_neshta behavioral2/files/0x0002000000022e69-206.dat family_neshta behavioral2/files/0x0002000000022e69-212.dat family_neshta behavioral2/files/0x000300000001e6d6-208.dat family_neshta behavioral2/files/0x000300000001e6d6-214.dat family_neshta behavioral2/files/0x0002000000022e69-218.dat family_neshta behavioral2/files/0x000300000001e6d6-220.dat family_neshta behavioral2/files/0x0002000000022e69-224.dat family_neshta behavioral2/files/0x000300000001e6d6-226.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 2788 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 972 svchost.com 1144 DF13CA~1.EXE 3832 svchost.com 3492 DF13CA~1.EXE 2716 svchost.com 3900 DF13CA~1.EXE 2564 svchost.com 2812 DF13CA~1.EXE 3720 svchost.com 5040 DF13CA~1.EXE 4876 svchost.com 4232 DF13CA~1.EXE 4980 svchost.com 2904 DF13CA~1.EXE 2980 svchost.com 4740 DF13CA~1.EXE 3528 svchost.com 1668 DF13CA~1.EXE 852 svchost.com 1752 DF13CA~1.EXE 4704 svchost.com 2660 DF13CA~1.EXE 3552 svchost.com 3944 DF13CA~1.EXE 2972 svchost.com 1372 DF13CA~1.EXE 2968 svchost.com 1348 DF13CA~1.EXE 1212 svchost.com 2392 DF13CA~1.EXE 3476 svchost.com 2852 DF13CA~1.EXE 4040 svchost.com 4020 DF13CA~1.EXE 4260 svchost.com 3316 DF13CA~1.EXE 2300 svchost.com 1868 DF13CA~1.EXE 3996 svchost.com 948 DF13CA~1.EXE 4500 svchost.com 4772 DF13CA~1.EXE 4036 svchost.com 3712 DF13CA~1.EXE 3116 svchost.com 2864 DF13CA~1.EXE 880 svchost.com 2236 DF13CA~1.EXE 4232 svchost.com 1972 DF13CA~1.EXE 4272 svchost.com 1696 DF13CA~1.EXE 676 svchost.com 3420 DF13CA~1.EXE 4996 svchost.com 4120 DF13CA~1.EXE 4204 svchost.com 4192 DF13CA~1.EXE 2012 svchost.com 4532 DF13CA~1.EXE 2884 svchost.com 2396 DF13CA~1.EXE 2568 svchost.com -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation DF13CA~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com DF13CA~1.EXE File opened for modification C:\Windows\directx.sys DF13CA~1.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings svchost.com Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings svchost.com Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings svchost.com Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings DF13CA~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 2788 4864 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 85 PID 4864 wrote to memory of 2788 4864 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 85 PID 4864 wrote to memory of 2788 4864 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 85 PID 2788 wrote to memory of 972 2788 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 86 PID 2788 wrote to memory of 972 2788 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 86 PID 2788 wrote to memory of 972 2788 df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe 86 PID 972 wrote to memory of 1144 972 svchost.com 87 PID 972 wrote to memory of 1144 972 svchost.com 87 PID 972 wrote to memory of 1144 972 svchost.com 87 PID 1144 wrote to memory of 3832 1144 DF13CA~1.EXE 88 PID 1144 wrote to memory of 3832 1144 DF13CA~1.EXE 88 PID 1144 wrote to memory of 3832 1144 DF13CA~1.EXE 88 PID 3832 wrote to memory of 3492 3832 svchost.com 89 PID 3832 wrote to memory of 3492 3832 svchost.com 89 PID 3832 wrote to memory of 3492 3832 svchost.com 89 PID 3492 wrote to memory of 2716 3492 DF13CA~1.EXE 90 PID 3492 wrote to memory of 2716 3492 DF13CA~1.EXE 90 PID 3492 wrote to memory of 2716 3492 DF13CA~1.EXE 90 PID 2716 wrote to memory of 3900 2716 svchost.com 91 PID 2716 wrote to memory of 3900 2716 svchost.com 91 PID 2716 wrote to memory of 3900 2716 svchost.com 91 PID 3900 wrote to memory of 2564 3900 DF13CA~1.EXE 92 PID 3900 wrote to memory of 2564 3900 DF13CA~1.EXE 92 PID 3900 wrote to memory of 2564 3900 DF13CA~1.EXE 92 PID 2564 wrote to memory of 2812 2564 svchost.com 93 PID 2564 wrote to memory of 2812 2564 svchost.com 93 PID 2564 wrote to memory of 2812 2564 svchost.com 93 PID 2812 wrote to memory of 3720 2812 DF13CA~1.EXE 94 PID 2812 wrote to memory of 3720 2812 DF13CA~1.EXE 94 PID 2812 wrote to memory of 3720 2812 DF13CA~1.EXE 94 PID 3720 wrote to memory of 5040 3720 svchost.com 95 PID 3720 wrote to memory of 5040 3720 svchost.com 95 PID 3720 wrote to memory of 5040 3720 svchost.com 95 PID 5040 wrote to memory of 4876 5040 DF13CA~1.EXE 96 PID 5040 wrote to memory of 4876 5040 DF13CA~1.EXE 96 PID 5040 wrote to memory of 4876 5040 DF13CA~1.EXE 96 PID 4876 wrote to memory of 4232 4876 svchost.com 97 PID 4876 wrote to memory of 4232 4876 svchost.com 97 PID 4876 wrote to memory of 4232 4876 svchost.com 97 PID 4232 wrote to memory of 4980 4232 DF13CA~1.EXE 98 PID 4232 wrote to memory of 4980 4232 DF13CA~1.EXE 98 PID 4232 wrote to memory of 4980 4232 DF13CA~1.EXE 98 PID 4980 wrote to memory of 2904 4980 svchost.com 99 PID 4980 wrote to memory of 2904 4980 svchost.com 99 PID 4980 wrote to memory of 2904 4980 svchost.com 99 PID 2904 wrote to memory of 2980 2904 DF13CA~1.EXE 100 PID 2904 wrote to memory of 2980 2904 DF13CA~1.EXE 100 PID 2904 wrote to memory of 2980 2904 DF13CA~1.EXE 100 PID 2980 wrote to memory of 4740 2980 svchost.com 101 PID 2980 wrote to memory of 4740 2980 svchost.com 101 PID 2980 wrote to memory of 4740 2980 svchost.com 101 PID 4740 wrote to memory of 3528 4740 DF13CA~1.EXE 102 PID 4740 wrote to memory of 3528 4740 DF13CA~1.EXE 102 PID 4740 wrote to memory of 3528 4740 DF13CA~1.EXE 102 PID 3528 wrote to memory of 1668 3528 svchost.com 103 PID 3528 wrote to memory of 1668 3528 svchost.com 103 PID 3528 wrote to memory of 1668 3528 svchost.com 103 PID 1668 wrote to memory of 852 1668 DF13CA~1.EXE 104 PID 1668 wrote to memory of 852 1668 DF13CA~1.EXE 104 PID 1668 wrote to memory of 852 1668 DF13CA~1.EXE 104 PID 852 wrote to memory of 1752 852 svchost.com 105 PID 852 wrote to memory of 1752 852 svchost.com 105 PID 852 wrote to memory of 1752 852 svchost.com 105 PID 1752 wrote to memory of 4704 1752 DF13CA~1.EXE 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"C:\Users\Admin\AppData\Local\Temp\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\df13ca1256d284f08e53ec81bc7af42e63faec50091a0bbfa0bcdac7238041d4.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE18⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"23⤵
- Executes dropped EXE
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE24⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"25⤵
- Executes dropped EXE
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE26⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"27⤵
- Executes dropped EXE
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE28⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"29⤵
- Executes dropped EXE
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE30⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"31⤵
- Executes dropped EXE
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE32⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"33⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE36⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"37⤵
- Executes dropped EXE
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE38⤵
- Executes dropped EXE
- Checks computer location settings
PID:3316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"39⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE40⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"41⤵
- Executes dropped EXE
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE42⤵
- Executes dropped EXE
PID:948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"43⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE44⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"45⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE46⤵
- Executes dropped EXE
- Checks computer location settings
PID:3712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"47⤵
- Executes dropped EXE
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE48⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"49⤵
- Executes dropped EXE
PID:880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE50⤵
- Executes dropped EXE
- Checks computer location settings
PID:2236 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE52⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"53⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE54⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"55⤵
- Executes dropped EXE
PID:676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE56⤵
- Executes dropped EXE
- Checks computer location settings
PID:3420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"57⤵
- Executes dropped EXE
PID:4996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE1⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"2⤵
- Executes dropped EXE
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE3⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"4⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE5⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE7⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"8⤵
- Executes dropped EXE
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE9⤵
- Checks computer location settings
PID:360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"10⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE11⤵PID:3812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"12⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE13⤵PID:4956
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"14⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE15⤵PID:3396
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"16⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE17⤵PID:4032
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"18⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE19⤵PID:1936
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"20⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE21⤵PID:5004
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"22⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE23⤵PID:2744
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"24⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE25⤵
- Checks computer location settings
PID:4188 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"26⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE27⤵PID:5016
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"28⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE29⤵PID:928
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"30⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE31⤵PID:4856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"32⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE33⤵
- Drops file in Windows directory
PID:1756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"34⤵
- Drops file in Windows directory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE35⤵PID:4848
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"36⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE37⤵
- Modifies registry class
PID:2088 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"38⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE39⤵
- Drops file in Windows directory
PID:676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"40⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE41⤵
- Modifies registry class
PID:1412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"42⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE43⤵
- Checks computer location settings
PID:2836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"44⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE45⤵PID:4824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"46⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE47⤵PID:3432
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"48⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE49⤵PID:1520
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"50⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE51⤵PID:484
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"52⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE53⤵PID:1048
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"54⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE55⤵PID:3916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"56⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE57⤵
- Drops file in Windows directory
PID:3960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"58⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE59⤵PID:4656
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"60⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE61⤵
- Modifies registry class
PID:908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"62⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE63⤵PID:1512
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"64⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE65⤵PID:824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"66⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE67⤵PID:1732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"68⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE69⤵PID:3132
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"70⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE71⤵PID:4852
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"72⤵
- Drops file in Windows directory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE73⤵PID:2272
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"74⤵
- Drops file in Windows directory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE75⤵
- Modifies registry class
PID:1712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"76⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE77⤵PID:996
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"78⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE79⤵PID:4300
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"80⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE81⤵PID:3552
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"82⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE83⤵PID:4536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"84⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE85⤵
- Checks computer location settings
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"86⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE87⤵PID:4428
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"88⤵
- Drops file in Windows directory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE89⤵PID:4040
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"90⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE91⤵PID:3892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"92⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE93⤵
- Checks computer location settings
PID:4260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"94⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE95⤵
- Checks computer location settings
PID:972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"96⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE97⤵PID:3996
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"98⤵
- Drops file in Windows directory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE99⤵PID:2036
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"100⤵
- Drops file in Windows directory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE101⤵
- Modifies registry class
PID:4836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"102⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE103⤵PID:2864
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"104⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE105⤵PID:4460
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"106⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE107⤵PID:4732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"108⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE109⤵
- Drops file in Windows directory
PID:4276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"110⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE111⤵PID:1668
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"112⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE113⤵
- Modifies registry class
PID:2624 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"114⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE115⤵
- Modifies registry class
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"116⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE117⤵PID:5052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"118⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE119⤵
- Checks computer location settings
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"120⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE121⤵PID:4924
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\DF13CA~1.EXE"122⤵PID:3908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-