Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe
Resource
win10v2004-20220901-en
General
-
Target
b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe
-
Size
837KB
-
MD5
675e05481d69541b515e69c4ae64a340
-
SHA1
e0052844b893512a2bbda981741ec6e1033892ee
-
SHA256
b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1
-
SHA512
cb7098aca63dd32b2c8855e3d07ad680c766b6093aebb485ad006bbfaada08ee86e0f4874f46702ebc4f9d12c4238e6129a11900e063b74334047d1a507f2c66
-
SSDEEP
12288:jabdMdss+/feo6kk16TT7FX24Sylgxf+m4yseQa4eF:jaiesofprk1yxX7Syl++m4ysja4m
Malware Config
Signatures
-
Detect Neshta payload 35 IoCs
resource yara_rule behavioral2/files/0x0001000000022dfd-136.dat family_neshta behavioral2/files/0x0001000000022dfd-138.dat family_neshta behavioral2/files/0x0002000000022e01-145.dat family_neshta behavioral2/files/0x0002000000022e01-146.dat family_neshta behavioral2/files/0x000500000001e6ec-148.dat family_neshta behavioral2/files/0x0004000000009f75-150.dat family_neshta behavioral2/files/0x000500000001e6ec-149.dat family_neshta behavioral2/files/0x0002000000022e01-152.dat family_neshta behavioral2/files/0x000500000001e6ec-154.dat family_neshta behavioral2/files/0x0002000000022e01-158.dat family_neshta behavioral2/files/0x000500000001e6ec-160.dat family_neshta behavioral2/files/0x0002000000022e01-164.dat family_neshta behavioral2/files/0x000500000001e6ec-166.dat family_neshta behavioral2/files/0x0002000000022e01-170.dat family_neshta behavioral2/files/0x000500000001e6ec-173.dat family_neshta behavioral2/files/0x0002000000022e01-176.dat family_neshta behavioral2/files/0x000700000001f05c-180.dat family_neshta behavioral2/files/0x000700000001f068-179.dat family_neshta behavioral2/files/0x000500000001e6ec-178.dat family_neshta behavioral2/files/0x0002000000022e01-184.dat family_neshta behavioral2/files/0x000200000001f153-186.dat family_neshta behavioral2/files/0x000200000001f06f-185.dat family_neshta behavioral2/files/0x000500000001e6ec-188.dat family_neshta behavioral2/files/0x0002000000022e01-192.dat family_neshta behavioral2/files/0x000500000001e6ec-194.dat family_neshta behavioral2/files/0x0002000000022e01-198.dat family_neshta behavioral2/files/0x000500000001e6ec-200.dat family_neshta behavioral2/files/0x0002000000022e01-204.dat family_neshta behavioral2/files/0x000500000001e6ec-206.dat family_neshta behavioral2/files/0x0002000000022e01-210.dat family_neshta behavioral2/files/0x000500000001e6ec-212.dat family_neshta behavioral2/files/0x0002000000022e01-216.dat family_neshta behavioral2/files/0x000500000001e6ec-218.dat family_neshta behavioral2/files/0x0002000000022e01-222.dat family_neshta behavioral2/files/0x000500000001e6ec-224.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 2748 svchost.exe 1900 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 4144 svchost.exe 4424 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 3224 svchost.exe 4412 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 3832 svchost.com 2816 B7A370~1.EXE 3036 svchost.com 880 B7A370~1.EXE 4448 svchost.com 4416 B7A370~1.EXE 2664 svchost.com 396 B7A370~1.EXE 4532 svchost.com 4152 B7A370~1.EXE 1632 svchost.com 768 B7A370~1.EXE 3456 svchost.com 4568 B7A370~1.EXE 2408 svchost.com 3540 B7A370~1.EXE 2188 svchost.com 5096 B7A370~1.EXE 3516 svchost.com 4368 B7A370~1.EXE 3852 svchost.com 456 B7A370~1.EXE 3876 svchost.com 4628 B7A370~1.EXE 520 svchost.com 4108 B7A370~1.EXE 4048 svchost.com 2192 B7A370~1.EXE 3480 svchost.com 876 B7A370~1.EXE 1272 svchost.com 1732 B7A370~1.EXE 4376 svchost.com 3036 B7A370~1.EXE 2872 svchost.com 3156 B7A370~1.EXE 2176 svchost.com 4416 B7A370~1.EXE 4388 svchost.com 1004 B7A370~1.EXE 3460 svchost.com 3836 B7A370~1.EXE 3064 svchost.com 1788 B7A370~1.EXE 4656 svchost.com 4540 B7A370~1.EXE 1756 svchost.com 4548 B7A370~1.EXE 2188 svchost.com 3816 B7A370~1.EXE 1628 svchost.com 3352 B7A370~1.EXE 1792 svchost.com 816 B7A370~1.EXE 456 svchost.com 1000 B7A370~1.EXE 4460 svchost.com 4628 B7A370~1.EXE -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation B7A370~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com B7A370~1.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings B7A370~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 800 wrote to memory of 2748 800 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 84 PID 800 wrote to memory of 2748 800 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 84 PID 800 wrote to memory of 2748 800 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 84 PID 2748 wrote to memory of 1900 2748 svchost.exe 85 PID 2748 wrote to memory of 1900 2748 svchost.exe 85 PID 2748 wrote to memory of 1900 2748 svchost.exe 85 PID 1900 wrote to memory of 4424 1900 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 87 PID 1900 wrote to memory of 4424 1900 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 87 PID 1900 wrote to memory of 4424 1900 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 87 PID 4424 wrote to memory of 3224 4424 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 88 PID 4424 wrote to memory of 3224 4424 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 88 PID 4424 wrote to memory of 3224 4424 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 88 PID 3224 wrote to memory of 4412 3224 svchost.exe 89 PID 3224 wrote to memory of 4412 3224 svchost.exe 89 PID 3224 wrote to memory of 4412 3224 svchost.exe 89 PID 4412 wrote to memory of 3832 4412 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 90 PID 4412 wrote to memory of 3832 4412 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 90 PID 4412 wrote to memory of 3832 4412 b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe 90 PID 3832 wrote to memory of 2816 3832 svchost.com 91 PID 3832 wrote to memory of 2816 3832 svchost.com 91 PID 3832 wrote to memory of 2816 3832 svchost.com 91 PID 2816 wrote to memory of 3036 2816 B7A370~1.EXE 92 PID 2816 wrote to memory of 3036 2816 B7A370~1.EXE 92 PID 2816 wrote to memory of 3036 2816 B7A370~1.EXE 92 PID 3036 wrote to memory of 880 3036 svchost.com 93 PID 3036 wrote to memory of 880 3036 svchost.com 93 PID 3036 wrote to memory of 880 3036 svchost.com 93 PID 880 wrote to memory of 4448 880 B7A370~1.EXE 94 PID 880 wrote to memory of 4448 880 B7A370~1.EXE 94 PID 880 wrote to memory of 4448 880 B7A370~1.EXE 94 PID 4448 wrote to memory of 4416 4448 svchost.com 95 PID 4448 wrote to memory of 4416 4448 svchost.com 95 PID 4448 wrote to memory of 4416 4448 svchost.com 95 PID 4416 wrote to memory of 2664 4416 B7A370~1.EXE 96 PID 4416 wrote to memory of 2664 4416 B7A370~1.EXE 96 PID 4416 wrote to memory of 2664 4416 B7A370~1.EXE 96 PID 2664 wrote to memory of 396 2664 svchost.com 97 PID 2664 wrote to memory of 396 2664 svchost.com 97 PID 2664 wrote to memory of 396 2664 svchost.com 97 PID 396 wrote to memory of 4532 396 B7A370~1.EXE 98 PID 396 wrote to memory of 4532 396 B7A370~1.EXE 98 PID 396 wrote to memory of 4532 396 B7A370~1.EXE 98 PID 4532 wrote to memory of 4152 4532 svchost.com 99 PID 4532 wrote to memory of 4152 4532 svchost.com 99 PID 4532 wrote to memory of 4152 4532 svchost.com 99 PID 4152 wrote to memory of 1632 4152 B7A370~1.EXE 100 PID 4152 wrote to memory of 1632 4152 B7A370~1.EXE 100 PID 4152 wrote to memory of 1632 4152 B7A370~1.EXE 100 PID 1632 wrote to memory of 768 1632 svchost.com 101 PID 1632 wrote to memory of 768 1632 svchost.com 101 PID 1632 wrote to memory of 768 1632 svchost.com 101 PID 768 wrote to memory of 3456 768 B7A370~1.EXE 102 PID 768 wrote to memory of 3456 768 B7A370~1.EXE 102 PID 768 wrote to memory of 3456 768 B7A370~1.EXE 102 PID 3456 wrote to memory of 4568 3456 svchost.com 103 PID 3456 wrote to memory of 4568 3456 svchost.com 103 PID 3456 wrote to memory of 4568 3456 svchost.com 103 PID 4568 wrote to memory of 2408 4568 B7A370~1.EXE 104 PID 4568 wrote to memory of 2408 4568 B7A370~1.EXE 104 PID 4568 wrote to memory of 2408 4568 B7A370~1.EXE 104 PID 2408 wrote to memory of 3540 2408 svchost.com 105 PID 2408 wrote to memory of 3540 2408 svchost.com 105 PID 2408 wrote to memory of 3540 2408 svchost.com 105 PID 3540 wrote to memory of 2188 3540 B7A370~1.EXE 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"C:\Users\Admin\AppData\Local\Temp\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"C:\Users\Admin\AppData\Local\Temp\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b7a370ef08ad7818937bd10cb6ad5800b46aaf0cdd5bdd661ce0cb49882d9cd1.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE20⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"23⤵
- Executes dropped EXE
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE24⤵
- Executes dropped EXE
- Checks computer location settings
PID:5096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"25⤵
- Executes dropped EXE
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE26⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"27⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE28⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:456 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"29⤵
- Executes dropped EXE
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE30⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"31⤵
- Executes dropped EXE
PID:520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE32⤵
- Executes dropped EXE
- Checks computer location settings
PID:4108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"33⤵
- Executes dropped EXE
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE34⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"37⤵
- Executes dropped EXE
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE38⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"39⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE40⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"41⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE42⤵
- Executes dropped EXE
- Modifies registry class
PID:3156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"43⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE44⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"45⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE46⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"47⤵
- Executes dropped EXE
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE48⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"49⤵
- Executes dropped EXE
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE50⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE52⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"53⤵
- Executes dropped EXE
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE54⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"55⤵
- Executes dropped EXE
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE56⤵
- Executes dropped EXE
- Modifies registry class
PID:3816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"57⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE58⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"59⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE60⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"61⤵
- Executes dropped EXE
PID:456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE62⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"63⤵
- Executes dropped EXE
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE64⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"65⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE66⤵PID:4984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"67⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE68⤵PID:876
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"69⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE70⤵
- Checks computer location settings
PID:3304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"71⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE72⤵PID:1996
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"73⤵
- Drops file in Windows directory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE74⤵
- Checks computer location settings
PID:2040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"75⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE76⤵PID:4128
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"77⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE78⤵PID:2944
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"79⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE80⤵PID:4492
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"81⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE82⤵
- Drops file in Windows directory
PID:3392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"83⤵
- Drops file in Windows directory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE84⤵PID:4836
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"85⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE86⤵
- Modifies registry class
PID:3136 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"87⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE88⤵
- Modifies registry class
PID:1220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"89⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE90⤵
- Modifies registry class
PID:2976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"91⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE92⤵
- Checks computer location settings
PID:3488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"93⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE94⤵PID:3732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"95⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE96⤵
- Drops file in Windows directory
PID:876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"97⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE98⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"99⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE100⤵PID:2176
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"101⤵
- Drops file in Windows directory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE102⤵
- Drops file in Windows directory
PID:2288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"103⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE104⤵PID:4332
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"105⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE106⤵PID:2944
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"107⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE108⤵PID:3752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"109⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE110⤵PID:848
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"111⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE112⤵PID:3392
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"113⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE114⤵PID:2324
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"115⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE116⤵
- Drops file in Windows directory
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"117⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE118⤵
- Modifies registry class
PID:312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"119⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE120⤵PID:1368
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE"121⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\B7A370~1.EXE122⤵
- Checks computer location settings
- Modifies registry class
PID:4344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-