Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 17:58
Behavioral task
behavioral1
Sample
5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe
Resource
win10v2004-20220812-en
General
-
Target
5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe
-
Size
390KB
-
MD5
4ae46f7c43720a73ab25768fd5791c30
-
SHA1
da5940fe9b55eca394ceac9cfbcbb797caceb68a
-
SHA256
5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46
-
SHA512
470c706aa30927f3bb751ee1bdd1159053349e4c82433a8d9557e23e38aecdd8b486c68509bc376f8d192a018576cca73f5bad24bf4ab751e1e0a1fc38c2cdc5
-
SSDEEP
6144:k9rWRBxdkrPEebsGIUAuuAg3TXDZO8MT5i+W3QzDoStiFpwyoStiFpwf9rW:CWRzAEmrIpjTZO7T5i+W3QzEJpkJpKW
Malware Config
Signatures
-
Detect Neshta payload 35 IoCs
resource yara_rule behavioral2/files/0x000b000000022f6c-134.dat family_neshta behavioral2/files/0x000b000000022f6c-133.dat family_neshta behavioral2/files/0x0008000000022f6d-136.dat family_neshta behavioral2/files/0x0008000000022f6d-137.dat family_neshta behavioral2/files/0x000b000000022f6c-139.dat family_neshta behavioral2/files/0x0008000000022f6d-141.dat family_neshta behavioral2/files/0x000b000000022f6c-145.dat family_neshta behavioral2/files/0x0008000000022f6d-147.dat family_neshta behavioral2/files/0x000b000000022f6c-151.dat family_neshta behavioral2/files/0x0008000000022f6d-153.dat family_neshta behavioral2/files/0x000b000000022f6c-157.dat family_neshta behavioral2/files/0x0008000000022f6d-159.dat family_neshta behavioral2/files/0x000b000000022f6c-163.dat family_neshta behavioral2/files/0x0008000000022f6d-165.dat family_neshta behavioral2/files/0x000b000000022f6c-169.dat family_neshta behavioral2/files/0x0008000000022f6d-171.dat family_neshta behavioral2/files/0x000b000000022f6c-175.dat family_neshta behavioral2/files/0x0008000000022f6d-177.dat family_neshta behavioral2/files/0x000b000000022f6c-181.dat family_neshta behavioral2/files/0x0008000000022f6d-183.dat family_neshta behavioral2/files/0x000b000000022f6c-187.dat family_neshta behavioral2/files/0x0008000000022f6d-189.dat family_neshta behavioral2/files/0x000b000000022f6c-193.dat family_neshta behavioral2/files/0x0008000000022f6d-195.dat family_neshta behavioral2/files/0x000b000000022f6c-199.dat family_neshta behavioral2/files/0x0008000000022f6d-201.dat family_neshta behavioral2/files/0x000b000000022f6c-205.dat family_neshta behavioral2/files/0x0008000000022f6d-207.dat family_neshta behavioral2/files/0x000b000000022f6c-211.dat family_neshta behavioral2/files/0x0008000000022f6d-213.dat family_neshta behavioral2/files/0x000b000000022f6c-216.dat family_neshta behavioral2/files/0x0008000000022f6d-218.dat family_neshta behavioral2/files/0x000b000000022f6c-222.dat family_neshta behavioral2/files/0x0008000000022f6d-224.dat family_neshta behavioral2/files/0x000b000000022f6c-228.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 4848 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 4856 svchost.com 3108 5AB751~1.EXE 4940 svchost.com 4696 5AB751~1.EXE 4720 svchost.com 968 5AB751~1.EXE 3816 svchost.com 1940 5AB751~1.EXE 3632 svchost.com 5048 5AB751~1.EXE 4204 svchost.com 4912 5AB751~1.EXE 4624 svchost.com 1708 5AB751~1.EXE 628 svchost.com 3480 5AB751~1.EXE 4604 svchost.com 3688 5AB751~1.EXE 2736 svchost.com 2348 5AB751~1.EXE 3924 svchost.com 3112 5AB751~1.EXE 4040 svchost.com 2764 5AB751~1.EXE 4308 svchost.com 2080 5AB751~1.EXE 4232 svchost.com 1160 5AB751~1.EXE 2260 svchost.com 3324 5AB751~1.EXE 1400 svchost.com 2564 5AB751~1.EXE 3404 svchost.com 2488 5AB751~1.EXE 3364 svchost.com 2816 5AB751~1.EXE 1032 svchost.com 2328 5AB751~1.EXE 2300 svchost.com 4416 5AB751~1.EXE 3812 svchost.com 1584 5AB751~1.EXE 1364 svchost.com 4392 5AB751~1.EXE 3836 svchost.com 5104 5AB751~1.EXE 2228 svchost.com 3012 5AB751~1.EXE 1264 svchost.com 2384 5AB751~1.EXE 1868 svchost.com 3232 5AB751~1.EXE 3524 svchost.com 2320 5AB751~1.EXE 3128 svchost.com 3452 5AB751~1.EXE 3092 svchost.com 2808 5AB751~1.EXE 1192 svchost.com 384 5AB751~1.EXE 5044 svchost.com 5000 5AB751~1.EXE 5020 svchost.com -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5AB751~1.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{027A032E-9C13-43CF-9ECD-D8082997F412}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{499A4820-1157-4B8B-BF50-D78C0C221498}.catalogItem svchost.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\svchost.com 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE File opened for modification C:\Windows\directx.sys 5AB751~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 5AB751~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 4848 1936 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 77 PID 1936 wrote to memory of 4848 1936 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 77 PID 1936 wrote to memory of 4848 1936 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 77 PID 4848 wrote to memory of 4856 4848 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 78 PID 4848 wrote to memory of 4856 4848 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 78 PID 4848 wrote to memory of 4856 4848 5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe 78 PID 4856 wrote to memory of 3108 4856 svchost.com 79 PID 4856 wrote to memory of 3108 4856 svchost.com 79 PID 4856 wrote to memory of 3108 4856 svchost.com 79 PID 3108 wrote to memory of 4940 3108 5AB751~1.EXE 80 PID 3108 wrote to memory of 4940 3108 5AB751~1.EXE 80 PID 3108 wrote to memory of 4940 3108 5AB751~1.EXE 80 PID 4940 wrote to memory of 4696 4940 svchost.com 81 PID 4940 wrote to memory of 4696 4940 svchost.com 81 PID 4940 wrote to memory of 4696 4940 svchost.com 81 PID 4696 wrote to memory of 4720 4696 5AB751~1.EXE 82 PID 4696 wrote to memory of 4720 4696 5AB751~1.EXE 82 PID 4696 wrote to memory of 4720 4696 5AB751~1.EXE 82 PID 4720 wrote to memory of 968 4720 svchost.com 83 PID 4720 wrote to memory of 968 4720 svchost.com 83 PID 4720 wrote to memory of 968 4720 svchost.com 83 PID 968 wrote to memory of 3816 968 5AB751~1.EXE 84 PID 968 wrote to memory of 3816 968 5AB751~1.EXE 84 PID 968 wrote to memory of 3816 968 5AB751~1.EXE 84 PID 3816 wrote to memory of 1940 3816 svchost.com 85 PID 3816 wrote to memory of 1940 3816 svchost.com 85 PID 3816 wrote to memory of 1940 3816 svchost.com 85 PID 1940 wrote to memory of 3632 1940 5AB751~1.EXE 86 PID 1940 wrote to memory of 3632 1940 5AB751~1.EXE 86 PID 1940 wrote to memory of 3632 1940 5AB751~1.EXE 86 PID 3632 wrote to memory of 5048 3632 svchost.com 87 PID 3632 wrote to memory of 5048 3632 svchost.com 87 PID 3632 wrote to memory of 5048 3632 svchost.com 87 PID 5048 wrote to memory of 4204 5048 5AB751~1.EXE 88 PID 5048 wrote to memory of 4204 5048 5AB751~1.EXE 88 PID 5048 wrote to memory of 4204 5048 5AB751~1.EXE 88 PID 4204 wrote to memory of 4912 4204 svchost.com 89 PID 4204 wrote to memory of 4912 4204 svchost.com 89 PID 4204 wrote to memory of 4912 4204 svchost.com 89 PID 4912 wrote to memory of 4624 4912 5AB751~1.EXE 90 PID 4912 wrote to memory of 4624 4912 5AB751~1.EXE 90 PID 4912 wrote to memory of 4624 4912 5AB751~1.EXE 90 PID 4624 wrote to memory of 1708 4624 svchost.com 91 PID 4624 wrote to memory of 1708 4624 svchost.com 91 PID 4624 wrote to memory of 1708 4624 svchost.com 91 PID 1708 wrote to memory of 628 1708 5AB751~1.EXE 92 PID 1708 wrote to memory of 628 1708 5AB751~1.EXE 92 PID 1708 wrote to memory of 628 1708 5AB751~1.EXE 92 PID 628 wrote to memory of 3480 628 svchost.com 93 PID 628 wrote to memory of 3480 628 svchost.com 93 PID 628 wrote to memory of 3480 628 svchost.com 93 PID 3480 wrote to memory of 4604 3480 5AB751~1.EXE 94 PID 3480 wrote to memory of 4604 3480 5AB751~1.EXE 94 PID 3480 wrote to memory of 4604 3480 5AB751~1.EXE 94 PID 4604 wrote to memory of 3688 4604 svchost.com 95 PID 4604 wrote to memory of 3688 4604 svchost.com 95 PID 4604 wrote to memory of 3688 4604 svchost.com 95 PID 3688 wrote to memory of 2736 3688 5AB751~1.EXE 96 PID 3688 wrote to memory of 2736 3688 5AB751~1.EXE 96 PID 3688 wrote to memory of 2736 3688 5AB751~1.EXE 96 PID 2736 wrote to memory of 2348 2736 svchost.com 97 PID 2736 wrote to memory of 2348 2736 svchost.com 97 PID 2736 wrote to memory of 2348 2736 svchost.com 97 PID 2348 wrote to memory of 3924 2348 5AB751~1.EXE 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe"C:\Users\Admin\AppData\Local\Temp\5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5ab7518bc969560c04d11c76de7a65a885245a2c1174792aa2f4cc03e331ce46.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"23⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE24⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"25⤵
- Executes dropped EXE
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE26⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
PID:2764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"27⤵
- Executes dropped EXE
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE28⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"29⤵
- Executes dropped EXE
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE30⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1160 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"31⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE32⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"33⤵
- Executes dropped EXE
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE34⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"35⤵
- Executes dropped EXE
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE36⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"37⤵
- Executes dropped EXE
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE38⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"39⤵
- Executes dropped EXE
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE40⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"41⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE42⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"43⤵
- Executes dropped EXE
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE44⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"45⤵
- Executes dropped EXE
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE46⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"47⤵
- Executes dropped EXE
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE48⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"49⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"51⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE52⤵
- Executes dropped EXE
- Checks computer location settings
PID:2384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"53⤵
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE54⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"55⤵
- Executes dropped EXE
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE56⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"57⤵
- Executes dropped EXE
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE58⤵
- Executes dropped EXE
- Checks computer location settings
PID:3452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"59⤵
- Executes dropped EXE
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE60⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"61⤵
- Executes dropped EXE
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE62⤵
- Executes dropped EXE
PID:384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"63⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE64⤵
- Executes dropped EXE
- Checks computer location settings
PID:5000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"65⤵
- Executes dropped EXE
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE66⤵PID:392
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"67⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE68⤵
- Modifies registry class
PID:4052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"69⤵
- Drops file in Windows directory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE70⤵PID:364
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"71⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE72⤵PID:2068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"73⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE74⤵PID:1524
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"75⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE76⤵PID:4872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"77⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE78⤵PID:2540
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"79⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE80⤵PID:2664
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"81⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE82⤵PID:2920
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"83⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE84⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"85⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE86⤵PID:440
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"87⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE88⤵PID:3740
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"89⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE90⤵PID:544
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"91⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE92⤵PID:2328
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"93⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE94⤵PID:3076
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"95⤵
- Drops file in Windows directory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE96⤵
- Modifies registry class
PID:5056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"97⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE98⤵
- Checks computer location settings
PID:1804 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"99⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE100⤵
- Modifies registry class
PID:5104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"101⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE102⤵PID:1612
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"103⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE104⤵PID:2384
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"105⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE106⤵
- Modifies registry class
PID:3232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"107⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE108⤵
- Modifies registry class
PID:3136 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"109⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE110⤵PID:2404
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"111⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE112⤵PID:4100
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"113⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE114⤵
- Modifies registry class
PID:1192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"115⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE116⤵
- Drops file in Windows directory
PID:3632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"117⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE118⤵
- Modifies registry class
PID:2828 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"119⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE120⤵PID:4112
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE"121⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5AB751~1.EXE122⤵PID:4548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-