Analysis
-
max time kernel
149s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2022, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
Resource
win10v2004-20220812-en
General
-
Target
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe
-
Size
569KB
-
MD5
75af7554cfafa2d8cebe3802f457ab40
-
SHA1
f2bc4dd47de6f286f6fc2be390f5862be64072bc
-
SHA256
927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60
-
SHA512
611e65b45bc911c27a96506836ca70e9429d82bb456c020a9542166eb3622bfcdf416235e67b329a4f30750552e384dddd77cd2b7e382121e43211ad43b15356
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrNI+TLbgUeRUqKFyH7xOc6H5c6HcT66vlmrhUeRUqTyB:ja8I+HTeoa9efa9efa9efa9efa9eE
Malware Config
Signatures
-
Detect Neshta payload 33 IoCs
resource yara_rule behavioral2/files/0x0006000000022e69-136.dat family_neshta behavioral2/files/0x0006000000022e69-138.dat family_neshta behavioral2/files/0x0008000000022e61-145.dat family_neshta behavioral2/files/0x0008000000022e61-146.dat family_neshta behavioral2/files/0x0004000000009f61-150.dat family_neshta behavioral2/files/0x0008000000022e61-152.dat family_neshta behavioral2/files/0x000e000000022e57-149.dat family_neshta behavioral2/files/0x000e000000022e57-148.dat family_neshta behavioral2/files/0x000e000000022e57-154.dat family_neshta behavioral2/files/0x0008000000022e61-158.dat family_neshta behavioral2/files/0x000e000000022e57-160.dat family_neshta behavioral2/files/0x0008000000022e61-164.dat family_neshta behavioral2/files/0x000e000000022e57-166.dat family_neshta behavioral2/files/0x0008000000022e61-170.dat family_neshta behavioral2/files/0x000e000000022e57-172.dat family_neshta behavioral2/files/0x0008000000022e61-176.dat family_neshta behavioral2/files/0x000e000000022e57-178.dat family_neshta behavioral2/files/0x0008000000022e61-182.dat family_neshta behavioral2/files/0x000e000000022e57-184.dat family_neshta behavioral2/files/0x0008000000022e61-188.dat family_neshta behavioral2/files/0x000e000000022e57-190.dat family_neshta behavioral2/files/0x0008000000022e61-194.dat family_neshta behavioral2/files/0x000e000000022e57-196.dat family_neshta behavioral2/files/0x0008000000022e61-199.dat family_neshta behavioral2/files/0x000e000000022e57-202.dat family_neshta behavioral2/files/0x0008000000022e61-205.dat family_neshta behavioral2/files/0x000e000000022e57-207.dat family_neshta behavioral2/files/0x0008000000022e61-211.dat family_neshta behavioral2/files/0x000e000000022e57-213.dat family_neshta behavioral2/files/0x0008000000022e61-217.dat family_neshta behavioral2/files/0x000e000000022e57-219.dat family_neshta behavioral2/files/0x0008000000022e61-223.dat family_neshta behavioral2/files/0x000e000000022e57-225.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 2512 svchost.exe 996 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 1376 svchost.exe 4604 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 4980 svchost.exe 812 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 2176 svchost.com 4660 927A01~1.EXE 216 svchost.com 2352 927A01~1.EXE 3820 svchost.com 4460 927A01~1.EXE 764 svchost.com 3704 927A01~1.EXE 2132 svchost.com 4376 927A01~1.EXE 4252 svchost.com 2740 927A01~1.EXE 2768 svchost.com 2464 927A01~1.EXE 2784 svchost.com 988 927A01~1.EXE 2852 svchost.com 4548 927A01~1.EXE 4084 svchost.com 1816 927A01~1.EXE 1856 svchost.com 2388 927A01~1.EXE 4344 svchost.com 5052 927A01~1.EXE 1940 svchost.com 1420 927A01~1.EXE 5056 svchost.com 2496 927A01~1.EXE 4360 svchost.com 2244 927A01~1.EXE 4216 svchost.com 4908 927A01~1.EXE 1880 svchost.com 2760 927A01~1.EXE 4156 svchost.com 4516 927A01~1.EXE 4328 svchost.com 3948 927A01~1.EXE 4004 svchost.com 1452 927A01~1.EXE 2140 svchost.com 2068 927A01~1.EXE 2280 svchost.com 4464 927A01~1.EXE 3696 svchost.com 2536 927A01~1.EXE 4708 svchost.com 4492 927A01~1.EXE 2312 svchost.com 392 927A01~1.EXE 208 svchost.com 260 927A01~1.EXE 3100 svchost.com 1684 927A01~1.EXE 4184 svchost.com 3156 927A01~1.EXE 3896 svchost.com 3904 927A01~1.EXE -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 927A01~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{9B826~1\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 927A01~1.EXE File opened for modification C:\Windows\directx.sys 927A01~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 927A01~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1060 wrote to memory of 2512 1060 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 80 PID 1060 wrote to memory of 2512 1060 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 80 PID 1060 wrote to memory of 2512 1060 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 80 PID 2512 wrote to memory of 996 2512 svchost.exe 81 PID 2512 wrote to memory of 996 2512 svchost.exe 81 PID 2512 wrote to memory of 996 2512 svchost.exe 81 PID 996 wrote to memory of 4604 996 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 85 PID 996 wrote to memory of 4604 996 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 85 PID 996 wrote to memory of 4604 996 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 85 PID 4604 wrote to memory of 4980 4604 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 86 PID 4604 wrote to memory of 4980 4604 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 86 PID 4604 wrote to memory of 4980 4604 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 86 PID 4980 wrote to memory of 812 4980 svchost.exe 87 PID 4980 wrote to memory of 812 4980 svchost.exe 87 PID 4980 wrote to memory of 812 4980 svchost.exe 87 PID 812 wrote to memory of 2176 812 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 88 PID 812 wrote to memory of 2176 812 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 88 PID 812 wrote to memory of 2176 812 927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe 88 PID 2176 wrote to memory of 4660 2176 svchost.com 89 PID 2176 wrote to memory of 4660 2176 svchost.com 89 PID 2176 wrote to memory of 4660 2176 svchost.com 89 PID 4660 wrote to memory of 216 4660 927A01~1.EXE 90 PID 4660 wrote to memory of 216 4660 927A01~1.EXE 90 PID 4660 wrote to memory of 216 4660 927A01~1.EXE 90 PID 216 wrote to memory of 2352 216 svchost.com 91 PID 216 wrote to memory of 2352 216 svchost.com 91 PID 216 wrote to memory of 2352 216 svchost.com 91 PID 2352 wrote to memory of 3820 2352 927A01~1.EXE 92 PID 2352 wrote to memory of 3820 2352 927A01~1.EXE 92 PID 2352 wrote to memory of 3820 2352 927A01~1.EXE 92 PID 3820 wrote to memory of 4460 3820 svchost.com 93 PID 3820 wrote to memory of 4460 3820 svchost.com 93 PID 3820 wrote to memory of 4460 3820 svchost.com 93 PID 4460 wrote to memory of 764 4460 927A01~1.EXE 94 PID 4460 wrote to memory of 764 4460 927A01~1.EXE 94 PID 4460 wrote to memory of 764 4460 927A01~1.EXE 94 PID 764 wrote to memory of 3704 764 svchost.com 95 PID 764 wrote to memory of 3704 764 svchost.com 95 PID 764 wrote to memory of 3704 764 svchost.com 95 PID 3704 wrote to memory of 2132 3704 927A01~1.EXE 96 PID 3704 wrote to memory of 2132 3704 927A01~1.EXE 96 PID 3704 wrote to memory of 2132 3704 927A01~1.EXE 96 PID 2132 wrote to memory of 4376 2132 svchost.com 97 PID 2132 wrote to memory of 4376 2132 svchost.com 97 PID 2132 wrote to memory of 4376 2132 svchost.com 97 PID 4376 wrote to memory of 4252 4376 927A01~1.EXE 98 PID 4376 wrote to memory of 4252 4376 927A01~1.EXE 98 PID 4376 wrote to memory of 4252 4376 927A01~1.EXE 98 PID 4252 wrote to memory of 2740 4252 svchost.com 99 PID 4252 wrote to memory of 2740 4252 svchost.com 99 PID 4252 wrote to memory of 2740 4252 svchost.com 99 PID 2740 wrote to memory of 2768 2740 927A01~1.EXE 100 PID 2740 wrote to memory of 2768 2740 927A01~1.EXE 100 PID 2740 wrote to memory of 2768 2740 927A01~1.EXE 100 PID 2768 wrote to memory of 2464 2768 svchost.com 101 PID 2768 wrote to memory of 2464 2768 svchost.com 101 PID 2768 wrote to memory of 2464 2768 svchost.com 101 PID 2464 wrote to memory of 2784 2464 927A01~1.EXE 102 PID 2464 wrote to memory of 2784 2464 927A01~1.EXE 102 PID 2464 wrote to memory of 2784 2464 927A01~1.EXE 102 PID 2784 wrote to memory of 988 2784 svchost.com 103 PID 2784 wrote to memory of 988 2784 svchost.com 103 PID 2784 wrote to memory of 988 2784 svchost.com 103 PID 988 wrote to memory of 2852 988 927A01~1.EXE 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\927a01388f29cfae90666ab8e2683cdba4de0ef4dc18387f5981b9b166b29f60.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE18⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"23⤵
- Executes dropped EXE
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE24⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"25⤵
- Executes dropped EXE
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE26⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"27⤵
- Executes dropped EXE
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE28⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"29⤵
- Executes dropped EXE
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE30⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:5052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"31⤵
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE32⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"33⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2496 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"35⤵
- Executes dropped EXE
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE36⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"37⤵
- Executes dropped EXE
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE38⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"39⤵
- Executes dropped EXE
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE40⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"41⤵
- Executes dropped EXE
PID:4156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1376
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"2⤵
- Executes dropped EXE
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"4⤵
- Executes dropped EXE
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE5⤵
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"6⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE7⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"10⤵
- Executes dropped EXE
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE11⤵
- Executes dropped EXE
- Checks computer location settings
PID:2536 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"12⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE13⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"14⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE15⤵
- Executes dropped EXE
- Modifies registry class
PID:392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"16⤵
- Executes dropped EXE
PID:208 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE17⤵
- Executes dropped EXE
PID:260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"18⤵
- Executes dropped EXE
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE19⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"20⤵
- Executes dropped EXE
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE21⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"22⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"24⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE25⤵PID:3876
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"26⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE27⤵PID:4376
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"28⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE29⤵PID:1592
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"30⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE31⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"32⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE33⤵PID:488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"34⤵
- Drops file in Windows directory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE35⤵PID:4340
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"36⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE37⤵
- Checks computer location settings
- Modifies registry class
PID:2780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"38⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE39⤵
- Drops file in Windows directory
PID:4428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"40⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE41⤵
- Checks computer location settings
PID:1872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"42⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE43⤵PID:1832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"44⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE45⤵
- Checks computer location settings
PID:1216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"46⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE47⤵PID:2004
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"48⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE49⤵PID:2416
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"50⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE51⤵PID:376
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"52⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE53⤵
- Modifies registry class
PID:4064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"54⤵
- Drops file in Windows directory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE55⤵
- Checks computer location settings
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"56⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE57⤵PID:1916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"58⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE59⤵PID:3576
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"60⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE61⤵PID:2828
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"62⤵
- Drops file in Windows directory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE63⤵PID:1048
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"64⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE65⤵
- Drops file in Windows directory
PID:2232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"66⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE67⤵
- Checks computer location settings
PID:2140 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"68⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE69⤵PID:1272
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"70⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE71⤵
- Checks computer location settings
PID:4780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"72⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE73⤵PID:968
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"74⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE75⤵
- Drops file in Windows directory
PID:776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"76⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE77⤵PID:1068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"78⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE79⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2124 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"80⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE81⤵
- Checks computer location settings
PID:1604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"82⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE83⤵PID:224
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"84⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE85⤵PID:1848
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"86⤵
- Drops file in Windows directory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE87⤵PID:2624
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"88⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE89⤵
- Modifies registry class
PID:4788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"90⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE91⤵
- Checks computer location settings
PID:3904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"92⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE93⤵PID:3704
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"94⤵
- Drops file in Windows directory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE95⤵
- Modifies registry class
PID:4220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"96⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE97⤵PID:2076
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"98⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE99⤵PID:1660
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"100⤵
- Drops file in Windows directory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE101⤵
- Checks computer location settings
- Modifies registry class
PID:3964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"102⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE103⤵PID:488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"104⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE105⤵
- Checks computer location settings
PID:1336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"106⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE107⤵
- Modifies registry class
PID:3216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"108⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE109⤵PID:1816
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"110⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE111⤵PID:2724
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"112⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE113⤵
- Checks computer location settings
PID:1632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"114⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE115⤵PID:1608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"116⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE117⤵
- Drops file in Windows directory
PID:4976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"118⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE119⤵PID:1860
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"120⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE121⤵
- Checks computer location settings
PID:4360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\927A01~1.EXE"122⤵
- Drops file in Windows directory
PID:3472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-