Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17/10/2024, 00:20
General
-
Target
af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe
-
Size
6.0MB
-
MD5
3943063d8a8fb69b50caf1acfead34ee
-
SHA1
25b565a954aa0810ab4472004d30bc4792e1e5f5
-
SHA256
af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b
-
SHA512
c690729792cccbda50457d47ba204359fbd4fa6117c47b0169a0aa41c555d2e21ba293458c7ed407c048536b823e0ec959d31128bb4b0c3e6b9208a6e768610f
-
SSDEEP
98304:c+6ehmwOFcFki+TQlF3Knk7cgEx2fI6y8ZKmQiTVvtH6+25obrcs1028:c+lQwmPiOG3H33I6ypWTVvtaNy228
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
nikitaawp.aiq.ru - Port:
21 - Username:
u405447 - Password:
wngdce7s
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe"C:\Users\Admin\AppData\Local\Temp\af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HID.exe"C:\Users\Admin\AppData\Local\Temp\HID.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe5⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"6⤵
- Drops startup file
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe9⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"10⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe13⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"14⤵
- Drops startup file
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe17⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"18⤵
- Drops startup file
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"18⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe21⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"22⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"20⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe25⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"26⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe29⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"30⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe33⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"34⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"34⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe35⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe37⤵
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"38⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe37⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe39⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"40⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe41⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"42⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"40⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe41⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"42⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe43⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"44⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe45⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"46⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe45⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"46⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe47⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe49⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"50⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"48⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe49⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe51⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"52⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe53⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"54⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"52⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe53⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"54⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe55⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"56⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe57⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"58⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe57⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe59⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe61⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"62⤵
- Drops startup file
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe61⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"62⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe63⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"64⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe65⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"66⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"64⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe65⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"66⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe67⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"68⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe69⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"70⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"68⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe69⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"70⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe71⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"72⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe73⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"74⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"72⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe73⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"74⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe75⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"76⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe77⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"78⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"76⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe77⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"78⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe79⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"80⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe81⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"82⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"80⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe81⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"82⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe83⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"84⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe85⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"86⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"84⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe85⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"86⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe87⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"88⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe89⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"90⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"88⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe89⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"90⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe91⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"92⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe93⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"94⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"92⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe93⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"94⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe95⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"96⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe97⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"98⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"96⤵
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe97⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"98⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe99⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"100⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe101⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"102⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"100⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe101⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"102⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe103⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"104⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe105⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"106⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"104⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe105⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"106⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe107⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"108⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe109⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"110⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"108⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe109⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"110⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe111⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"112⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe113⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"114⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"112⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe113⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"114⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe115⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"116⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe117⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"118⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"116⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\HID.exeC:\Users\Admin\AppData\Local\Temp\HID.exe117⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"118⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exeC:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe119⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"120⤵
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe121⤵
- Drops startup file
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-