Analysis
-
max time kernel
190s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13/10/2022, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
Resource
win10v2004-20220812-en
General
-
Target
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
-
Size
569KB
-
MD5
75af7554cfafa2d8cebe3802f457ab40
-
SHA1
f2bc4dd47de6f286f6fc2be390f5862be64072bc
-
SHA256
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60
-
SHA512
611e65b45bc911c27a96506836ca70e9429d82bb456c020a9542166eb3622bfcdf416235e67b329a4f30750552e384dddd77cd2b7e382121e43211ad43b15356
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrNI+TLbgUeRUqKFyH7xOc6H5c6HcT66vlmrhUeRUqTyB:ja8I+HTeoa9efa9efa9efa9efa9eE
Malware Config
Signatures
-
Detect Neshta payload 38 IoCs
resource yara_rule behavioral1/files/0x000600000001561a-57.dat family_neshta behavioral1/files/0x000600000001561a-58.dat family_neshta behavioral1/files/0x000600000001561a-60.dat family_neshta behavioral1/files/0x000600000001561a-62.dat family_neshta behavioral1/files/0x0006000000015c15-73.dat family_neshta behavioral1/files/0x0006000000015c15-76.dat family_neshta behavioral1/files/0x0006000000015c15-74.dat family_neshta behavioral1/files/0x0006000000015c15-78.dat family_neshta behavioral1/files/0x0007000000015602-79.dat family_neshta behavioral1/files/0x0007000000015602-83.dat family_neshta behavioral1/files/0x0006000000015c15-90.dat family_neshta behavioral1/files/0x0006000000015c15-88.dat family_neshta behavioral1/files/0x0006000000015c15-87.dat family_neshta behavioral1/files/0x0007000000015602-94.dat family_neshta behavioral1/files/0x0006000000015c15-97.dat family_neshta behavioral1/files/0x0006000000015c15-98.dat family_neshta behavioral1/files/0x0006000000015c15-100.dat family_neshta behavioral1/files/0x0007000000015602-103.dat family_neshta behavioral1/files/0x0006000000015c15-107.dat family_neshta behavioral1/files/0x0006000000015c15-108.dat family_neshta behavioral1/files/0x0006000000015c15-110.dat family_neshta behavioral1/files/0x0007000000015602-114.dat family_neshta behavioral1/files/0x0006000000015c15-117.dat family_neshta behavioral1/files/0x0006000000015c15-118.dat family_neshta behavioral1/files/0x0006000000015c15-120.dat family_neshta behavioral1/files/0x0007000000015602-124.dat family_neshta behavioral1/files/0x0006000000015c15-127.dat family_neshta behavioral1/files/0x0006000000015c15-128.dat family_neshta behavioral1/files/0x0006000000015c15-130.dat family_neshta behavioral1/files/0x0007000000015602-134.dat family_neshta behavioral1/files/0x0006000000015c15-137.dat family_neshta behavioral1/files/0x0006000000015c15-138.dat family_neshta behavioral1/files/0x0006000000015c15-140.dat family_neshta behavioral1/files/0x0007000000015602-144.dat family_neshta behavioral1/files/0x0006000000015c15-145.dat family_neshta behavioral1/files/0x0006000000015c15-146.dat family_neshta behavioral1/files/0x0006000000015c15-147.dat family_neshta behavioral1/files/0x0007000000015602-150.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 1872 svchost.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1324 svchost.exe 1392 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 964 svchost.exe 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1768 svchost.com 1352 927A01~1.EXE 1600 svchost.com 900 927A01~1.EXE 2040 svchost.com 2028 927A01~1.EXE 1360 svchost.com 1300 927A01~1.EXE 472 svchost.com 596 927A01~1.EXE 1020 svchost.com 1364 927A01~1.EXE 1788 svchost.com 2012 927A01~1.EXE 1624 svchost.com 1872 927A01~1.EXE 1116 svchost.com 1728 927A01~1.EXE 1732 svchost.com 1748 927A01~1.EXE 1528 svchost.com 288 927A01~1.EXE 1352 svchost.com 1040 927A01~1.EXE 1924 svchost.com 1944 927A01~1.EXE 1964 svchost.com 1992 927A01~1.EXE 2040 svchost.com 692 927A01~1.EXE 1216 svchost.com 436 927A01~1.EXE 1360 svchost.com 320 927A01~1.EXE 584 svchost.com 1552 927A01~1.EXE 1936 svchost.com 872 927A01~1.EXE 1628 svchost.com 632 927A01~1.EXE 1328 svchost.com 368 927A01~1.EXE 1284 svchost.com 1640 927A01~1.EXE 1232 svchost.com 932 927A01~1.EXE 1732 svchost.com 1700 927A01~1.EXE 1136 svchost.com 592 927A01~1.EXE 1656 svchost.com 1688 927A01~1.EXE 1480 svchost.com 1944 927A01~1.EXE 1964 svchost.com 2008 927A01~1.EXE 1804 svchost.com 1580 927A01~1.EXE -
Loads dropped DLL 64 IoCs
pid Process 1872 svchost.exe 1872 svchost.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 964 svchost.exe 964 svchost.exe 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1768 svchost.com 1768 svchost.com 1600 svchost.com 1600 svchost.com 2040 svchost.com 2040 svchost.com 1360 svchost.com 1360 svchost.com 472 svchost.com 472 svchost.com 1020 svchost.com 1020 svchost.com 1788 svchost.com 1788 svchost.com 1624 svchost.com 1624 svchost.com 1116 svchost.com 1116 svchost.com 1732 svchost.com 1732 svchost.com 1528 svchost.com 1528 svchost.com 1352 svchost.com 1352 svchost.com 1924 svchost.com 1924 svchost.com 1964 svchost.com 1964 svchost.com 2040 svchost.com 2040 svchost.com 1216 svchost.com 1216 svchost.com 1360 svchost.com 1360 svchost.com 584 svchost.com 584 svchost.com 1936 svchost.com 1936 svchost.com 1628 svchost.com 1628 svchost.com 1328 svchost.com 1328 svchost.com 1284 svchost.com 1284 svchost.com 1232 svchost.com 1232 svchost.com 1732 svchost.com 1732 svchost.com 1136 svchost.com 1136 svchost.com 1656 svchost.com 1656 svchost.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys Process not Found File opened for modification C:\Windows\directx.sys Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1872 1628 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 27 PID 1628 wrote to memory of 1872 1628 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 27 PID 1628 wrote to memory of 1872 1628 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 27 PID 1628 wrote to memory of 1872 1628 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 27 PID 1872 wrote to memory of 2016 1872 svchost.exe 28 PID 1872 wrote to memory of 2016 1872 svchost.exe 28 PID 1872 wrote to memory of 2016 1872 svchost.exe 28 PID 1872 wrote to memory of 2016 1872 svchost.exe 28 PID 2016 wrote to memory of 1392 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 30 PID 2016 wrote to memory of 1392 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 30 PID 2016 wrote to memory of 1392 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 30 PID 2016 wrote to memory of 1392 2016 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 30 PID 1392 wrote to memory of 964 1392 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 31 PID 1392 wrote to memory of 964 1392 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 31 PID 1392 wrote to memory of 964 1392 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 31 PID 1392 wrote to memory of 964 1392 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 31 PID 964 wrote to memory of 1824 964 svchost.exe 32 PID 964 wrote to memory of 1824 964 svchost.exe 32 PID 964 wrote to memory of 1824 964 svchost.exe 32 PID 964 wrote to memory of 1824 964 svchost.exe 32 PID 1824 wrote to memory of 1768 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 33 PID 1824 wrote to memory of 1768 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 33 PID 1824 wrote to memory of 1768 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 33 PID 1824 wrote to memory of 1768 1824 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 33 PID 1768 wrote to memory of 1352 1768 svchost.com 34 PID 1768 wrote to memory of 1352 1768 svchost.com 34 PID 1768 wrote to memory of 1352 1768 svchost.com 34 PID 1768 wrote to memory of 1352 1768 svchost.com 34 PID 1352 wrote to memory of 1600 1352 927A01~1.EXE 35 PID 1352 wrote to memory of 1600 1352 927A01~1.EXE 35 PID 1352 wrote to memory of 1600 1352 927A01~1.EXE 35 PID 1352 wrote to memory of 1600 1352 927A01~1.EXE 35 PID 1600 wrote to memory of 900 1600 svchost.com 36 PID 1600 wrote to memory of 900 1600 svchost.com 36 PID 1600 wrote to memory of 900 1600 svchost.com 36 PID 1600 wrote to memory of 900 1600 svchost.com 36 PID 900 wrote to memory of 2040 900 927A01~1.EXE 37 PID 900 wrote to memory of 2040 900 927A01~1.EXE 37 PID 900 wrote to memory of 2040 900 927A01~1.EXE 37 PID 900 wrote to memory of 2040 900 927A01~1.EXE 37 PID 2040 wrote to memory of 2028 2040 svchost.com 38 PID 2040 wrote to memory of 2028 2040 svchost.com 38 PID 2040 wrote to memory of 2028 2040 svchost.com 38 PID 2040 wrote to memory of 2028 2040 svchost.com 38 PID 2028 wrote to memory of 1360 2028 927A01~1.EXE 39 PID 2028 wrote to memory of 1360 2028 927A01~1.EXE 39 PID 2028 wrote to memory of 1360 2028 927A01~1.EXE 39 PID 2028 wrote to memory of 1360 2028 927A01~1.EXE 39 PID 1360 wrote to memory of 1300 1360 svchost.com 40 PID 1360 wrote to memory of 1300 1360 svchost.com 40 PID 1360 wrote to memory of 1300 1360 svchost.com 40 PID 1360 wrote to memory of 1300 1360 svchost.com 40 PID 1300 wrote to memory of 472 1300 927A01~1.EXE 41 PID 1300 wrote to memory of 472 1300 927A01~1.EXE 41 PID 1300 wrote to memory of 472 1300 927A01~1.EXE 41 PID 1300 wrote to memory of 472 1300 927A01~1.EXE 41 PID 472 wrote to memory of 596 472 svchost.com 42 PID 472 wrote to memory of 596 472 svchost.com 42 PID 472 wrote to memory of 596 472 svchost.com 42 PID 472 wrote to memory of 596 472 svchost.com 42 PID 596 wrote to memory of 1020 596 927A01~1.EXE 43 PID 596 wrote to memory of 1020 596 927A01~1.EXE 43 PID 596 wrote to memory of 1020 596 927A01~1.EXE 43 PID 596 wrote to memory of 1020 596 927A01~1.EXE 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE20⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE22⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE24⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE26⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE28⤵
- Executes dropped EXE
PID:288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE30⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE32⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE34⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE36⤵
- Executes dropped EXE
PID:692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE38⤵
- Executes dropped EXE
PID:436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE40⤵
- Executes dropped EXE
PID:320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE44⤵
- Executes dropped EXE
PID:872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE46⤵
- Executes dropped EXE
PID:632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE48⤵
- Executes dropped EXE
PID:368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE50⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE52⤵
- Executes dropped EXE
PID:932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE54⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE56⤵
- Executes dropped EXE
PID:592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE58⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"59⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE60⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"61⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE62⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"63⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE64⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"65⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE66⤵PID:1576
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"67⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE68⤵PID:1340
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"69⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE70⤵PID:1552
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"71⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE72⤵PID:1560
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"73⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE74⤵PID:1288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"75⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE76⤵PID:1304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"77⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE78⤵PID:1328
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"79⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE80⤵PID:968
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"81⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE82⤵PID:1640
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"83⤵
- Drops file in Windows directory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE84⤵PID:932
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"85⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE86⤵PID:376
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"87⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE88⤵PID:1352
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"89⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE90⤵PID:1600
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"91⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE92⤵PID:1548
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"93⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE94⤵PID:2028
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"95⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE96⤵PID:832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"97⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE98⤵PID:1804
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"99⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE100⤵PID:1536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"101⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE102⤵PID:676
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"103⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE104⤵PID:1680
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"105⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE106⤵PID:1364
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"107⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE108⤵PID:1288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"109⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE110⤵PID:1304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"111⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE112⤵PID:912
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"113⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE114⤵PID:904
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"115⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE116⤵PID:316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"117⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE118⤵PID:548
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"119⤵PID:288
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE120⤵PID:1068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"121⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE122⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-