Analysis
-
max time kernel
40s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 19:48
Behavioral task
behavioral1
Sample
56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
Resource
win10v2004-20240226-en
General
-
Target
56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe
-
Size
174KB
-
MD5
46d423d2735e9147843a59d4c88cf0b0
-
SHA1
49ec9da7c7ffdd3acbb623ab811ec1534985cc86
-
SHA256
56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44
-
SHA512
5e080c3380612a4ab2e079198d53c36af909575e64f04ed79ca8b1c709793c165a49ece9887f876f06c98b5f45df366a7d617260a623ceaa477170df141366de
-
SSDEEP
3072:sr85CkKi0n88LmIfVJY/trRoWNLUa7NQa6qzTf0r85C:k9k5imIfAlCWNL3QOfs9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x00040000000130fc-2.dat family_neshta behavioral1/files/0x00320000000146f8-15.dat family_neshta behavioral1/files/0x001100000001032e-17.dat family_neshta behavioral1/files/0x000100000001031f-19.dat family_neshta behavioral1/files/0x000100000001031d-18.dat family_neshta behavioral1/files/0x00010000000104e6-16.dat family_neshta behavioral1/memory/2660-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2832-29-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2716-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2332-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2632-57-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2480-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2752-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2004-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/872-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1916-99-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1056-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2024-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/476-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2604-127-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1256-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1640-141-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2020-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2844-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1544-160-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1856-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1980-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1276-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/636-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1344-205-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1728-206-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/892-216-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1032-217-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/288-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1736-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/292-249-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2996-248-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2892-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1520-266-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2156-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2600-284-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2724-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2428-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2472-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2912-325-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2396-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2784-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2728-334-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2804-342-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2760-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/744-349-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1088-350-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/784-358-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1760-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1136-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/684-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2400-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/704-374-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1676-381-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1492-382-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1812-389-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1616-390-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
pid Process 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 2660 svchost.com 2832 56BB21~1.EXE 2716 svchost.com 2332 56BB21~1.EXE 2480 svchost.com 2632 56BB21~1.EXE 2004 svchost.com 2752 56BB21~1.EXE 2808 svchost.com 872 56BB21~1.EXE 1056 svchost.com 1916 56BB21~1.EXE 2024 svchost.com 476 56BB21~1.EXE 1256 svchost.com 2604 56BB21~1.EXE 2020 svchost.com 1640 56BB21~1.EXE 1544 svchost.com 2844 56BB21~1.EXE 1980 svchost.com 1856 56BB21~1.EXE 636 svchost.com 1276 56BB21~1.EXE 1728 svchost.com 1344 56BB21~1.EXE 1032 svchost.com 892 56BB21~1.EXE 1736 svchost.com 288 56BB21~1.EXE 292 svchost.com 2996 56BB21~1.EXE 1520 svchost.com 2892 56BB21~1.EXE 2600 svchost.com 2156 56BB21~1.EXE 1284 svchost.com 2724 56BB21~1.EXE 2428 svchost.com 2472 56BB21~1.EXE 2912 svchost.com 2396 56BB21~1.EXE 2728 svchost.com 2784 56BB21~1.EXE 2804 svchost.com 2760 56BB21~1.EXE 1088 svchost.com 744 56BB21~1.EXE 1760 svchost.com 784 56BB21~1.EXE 684 svchost.com 1136 56BB21~1.EXE 704 svchost.com 2400 56BB21~1.EXE 1492 svchost.com 1676 56BB21~1.EXE 1616 svchost.com 1812 56BB21~1.EXE 2304 svchost.com 2852 56BB21~1.EXE 2908 svchost.com 1440 56BB21~1.EXE 2112 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 2660 svchost.com 2660 svchost.com 2716 svchost.com 2716 svchost.com 2480 svchost.com 2480 svchost.com 2004 svchost.com 2004 svchost.com 2808 svchost.com 2808 svchost.com 1056 svchost.com 1056 svchost.com 2024 svchost.com 2024 svchost.com 1256 svchost.com 1256 svchost.com 2020 svchost.com 2020 svchost.com 1544 svchost.com 1544 svchost.com 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 1980 svchost.com 1980 svchost.com 636 svchost.com 636 svchost.com 1728 svchost.com 1728 svchost.com 1032 svchost.com 1032 svchost.com 1736 svchost.com 1736 svchost.com 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 292 svchost.com 292 svchost.com 1520 svchost.com 1520 svchost.com 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 2600 svchost.com 2600 svchost.com 1284 svchost.com 1284 svchost.com 2428 svchost.com 2428 svchost.com 2912 svchost.com 2912 svchost.com 2728 svchost.com 2728 svchost.com 2804 svchost.com 2804 svchost.com 1088 svchost.com 1088 svchost.com 1760 svchost.com 1760 svchost.com 684 svchost.com 684 svchost.com 704 svchost.com 704 svchost.com 1492 svchost.com 1492 svchost.com 1616 svchost.com 1616 svchost.com 2304 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys 56BB21~1.EXE File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2248 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 27 PID 1804 wrote to memory of 2248 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 27 PID 1804 wrote to memory of 2248 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 27 PID 1804 wrote to memory of 2248 1804 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 27 PID 2248 wrote to memory of 2660 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 28 PID 2248 wrote to memory of 2660 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 28 PID 2248 wrote to memory of 2660 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 28 PID 2248 wrote to memory of 2660 2248 56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe 28 PID 2660 wrote to memory of 2832 2660 svchost.com 29 PID 2660 wrote to memory of 2832 2660 svchost.com 29 PID 2660 wrote to memory of 2832 2660 svchost.com 29 PID 2660 wrote to memory of 2832 2660 svchost.com 29 PID 2832 wrote to memory of 2716 2832 56BB21~1.EXE 30 PID 2832 wrote to memory of 2716 2832 56BB21~1.EXE 30 PID 2832 wrote to memory of 2716 2832 56BB21~1.EXE 30 PID 2832 wrote to memory of 2716 2832 56BB21~1.EXE 30 PID 2716 wrote to memory of 2332 2716 svchost.com 31 PID 2716 wrote to memory of 2332 2716 svchost.com 31 PID 2716 wrote to memory of 2332 2716 svchost.com 31 PID 2716 wrote to memory of 2332 2716 svchost.com 31 PID 2332 wrote to memory of 2480 2332 56BB21~1.EXE 32 PID 2332 wrote to memory of 2480 2332 56BB21~1.EXE 32 PID 2332 wrote to memory of 2480 2332 56BB21~1.EXE 32 PID 2332 wrote to memory of 2480 2332 56BB21~1.EXE 32 PID 2480 wrote to memory of 2632 2480 svchost.com 33 PID 2480 wrote to memory of 2632 2480 svchost.com 33 PID 2480 wrote to memory of 2632 2480 svchost.com 33 PID 2480 wrote to memory of 2632 2480 svchost.com 33 PID 2632 wrote to memory of 2004 2632 56BB21~1.EXE 34 PID 2632 wrote to memory of 2004 2632 56BB21~1.EXE 34 PID 2632 wrote to memory of 2004 2632 56BB21~1.EXE 34 PID 2632 wrote to memory of 2004 2632 56BB21~1.EXE 34 PID 2004 wrote to memory of 2752 2004 svchost.com 35 PID 2004 wrote to memory of 2752 2004 svchost.com 35 PID 2004 wrote to memory of 2752 2004 svchost.com 35 PID 2004 wrote to memory of 2752 2004 svchost.com 35 PID 2752 wrote to memory of 2808 2752 56BB21~1.EXE 36 PID 2752 wrote to memory of 2808 2752 56BB21~1.EXE 36 PID 2752 wrote to memory of 2808 2752 56BB21~1.EXE 36 PID 2752 wrote to memory of 2808 2752 56BB21~1.EXE 36 PID 2808 wrote to memory of 872 2808 svchost.com 37 PID 2808 wrote to memory of 872 2808 svchost.com 37 PID 2808 wrote to memory of 872 2808 svchost.com 37 PID 2808 wrote to memory of 872 2808 svchost.com 37 PID 872 wrote to memory of 1056 872 56BB21~1.EXE 38 PID 872 wrote to memory of 1056 872 56BB21~1.EXE 38 PID 872 wrote to memory of 1056 872 56BB21~1.EXE 38 PID 872 wrote to memory of 1056 872 56BB21~1.EXE 38 PID 1056 wrote to memory of 1916 1056 svchost.com 39 PID 1056 wrote to memory of 1916 1056 svchost.com 39 PID 1056 wrote to memory of 1916 1056 svchost.com 39 PID 1056 wrote to memory of 1916 1056 svchost.com 39 PID 1916 wrote to memory of 2024 1916 56BB21~1.EXE 40 PID 1916 wrote to memory of 2024 1916 56BB21~1.EXE 40 PID 1916 wrote to memory of 2024 1916 56BB21~1.EXE 40 PID 1916 wrote to memory of 2024 1916 56BB21~1.EXE 40 PID 2024 wrote to memory of 476 2024 svchost.com 41 PID 2024 wrote to memory of 476 2024 svchost.com 41 PID 2024 wrote to memory of 476 2024 svchost.com 41 PID 2024 wrote to memory of 476 2024 svchost.com 41 PID 476 wrote to memory of 1256 476 56BB21~1.EXE 42 PID 476 wrote to memory of 1256 476 56BB21~1.EXE 42 PID 476 wrote to memory of 1256 476 56BB21~1.EXE 42 PID 476 wrote to memory of 1256 476 56BB21~1.EXE 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"C:\Users\Admin\AppData\Local\Temp\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\56bb21f18d9d0a767df04c4a2d0bc0c38e327b63a08dc1679f167a370aacaf44.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE18⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE22⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE24⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE26⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE28⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE30⤵
- Executes dropped EXE
PID:892 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE32⤵
- Executes dropped EXE
PID:288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE34⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2892 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE40⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2472 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE44⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE48⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:744 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE52⤵
- Executes dropped EXE
PID:784 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1136 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE58⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE60⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE62⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"65⤵
- Executes dropped EXE
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE66⤵
- Drops file in Windows directory
PID:1860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"67⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE68⤵PID:2312
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"69⤵
- Drops file in Windows directory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE70⤵PID:1380
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"71⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE72⤵PID:1868
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"73⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE74⤵PID:1872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"75⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE76⤵
- Drops file in Windows directory
PID:2500 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"77⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE78⤵PID:820
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"79⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE80⤵PID:2164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"81⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE82⤵PID:2160
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"83⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE84⤵PID:2560
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"85⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE86⤵PID:2568
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"87⤵
- Drops file in Windows directory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE88⤵PID:2668
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"89⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE90⤵PID:2832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"91⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE92⤵PID:1792
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"93⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE94⤵PID:1580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"95⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE96⤵PID:2756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"97⤵
- Drops file in Windows directory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE98⤵PID:2800
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"99⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE100⤵PID:2752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"101⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE102⤵PID:2692
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"103⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE104⤵PID:752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"105⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE106⤵
- Drops file in Windows directory
PID:860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"107⤵
- Drops file in Windows directory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE108⤵PID:1716
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"109⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE110⤵PID:1764
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"111⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE112⤵PID:1812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"113⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE114⤵
- Drops file in Windows directory
PID:2256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"115⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE116⤵PID:1808
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"117⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE118⤵PID:2280
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"119⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE120⤵PID:1348
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE"121⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\56BB21~1.EXE122⤵PID:1276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-