Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 10:25
Behavioral task
behavioral1
Sample
ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe
-
Size
203KB
-
MD5
8b16945c9fee126595fcbb6fccfb66b0
-
SHA1
f23e5181c204b40623ff1b2efe6d9c9cb96756a3
-
SHA256
ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182
-
SHA512
a317523907686364fe6bf7e1aac04c685d385f655268330542290f1578d743fdd8f8a4d1969a3bab064bdb371b23bb695a760b29fc17d7c8d715d8cc3dc4a1ce
-
SSDEEP
3072:sr85CRAQUtm3XC99BqHUtm3XC99BqFr85C:k9RAvmHqZmHqW9
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x000700000001956c-2.dat family_neshta behavioral1/files/0x0001000000010319-19.dat family_neshta behavioral1/files/0x0001000000010317-18.dat family_neshta behavioral1/files/0x000100000001064f-17.dat family_neshta behavioral1/files/0x0006000000019570-20.dat family_neshta behavioral1/files/0x000b000000010326-16.dat family_neshta behavioral1/memory/2880-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2928-29-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2740-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2592-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-57-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2404-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/592-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1532-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2028-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1340-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-99-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1756-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f77c-118.dat family_neshta behavioral1/memory/2112-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2384-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f709-137.dat family_neshta behavioral1/files/0x000100000000f833-139.dat family_neshta behavioral1/memory/1688-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1420-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1092-163-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1928-162-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2232-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2188-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/852-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2292-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1748-206-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/108-208-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2296-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3040-219-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3028-233-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2312-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/964-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2964-258-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2724-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2892-274-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2616-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-284-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3052-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2640-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1464-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1916-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/276-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2060-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2168-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1236-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2216-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2480-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2012-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1952-347-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1588-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1876-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1276-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1416-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1004-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1084-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1708-370-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/604-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2928 svchost.com 2880 AC2065~1.EXE 2740 svchost.com 2592 AC2065~1.EXE 2404 svchost.com 3024 AC2065~1.EXE 592 svchost.com 1532 AC2065~1.EXE 1340 svchost.com 2028 AC2065~1.EXE 1756 svchost.com 2636 AC2065~1.EXE 2112 svchost.com 2384 AC2065~1.EXE 1688 svchost.com 1420 AC2065~1.EXE 1092 svchost.com 1928 AC2065~1.EXE 2188 svchost.com 2232 AC2065~1.EXE 2292 svchost.com 852 AC2065~1.EXE 108 svchost.com 1748 AC2065~1.EXE 2296 svchost.com 3040 AC2065~1.EXE 3028 svchost.com 2312 AC2065~1.EXE 964 svchost.com 2964 AC2065~1.EXE 2724 svchost.com 2892 AC2065~1.EXE 2664 svchost.com 2616 AC2065~1.EXE 2640 svchost.com 3052 AC2065~1.EXE 1916 svchost.com 1464 AC2065~1.EXE 276 svchost.com 2060 AC2065~1.EXE 2168 svchost.com 1236 AC2065~1.EXE 2216 svchost.com 2480 AC2065~1.EXE 2408 svchost.com 2012 AC2065~1.EXE 1952 svchost.com 1588 AC2065~1.EXE 1276 svchost.com 1876 AC2065~1.EXE 1416 svchost.com 1004 AC2065~1.EXE 1084 svchost.com 1708 AC2065~1.EXE 604 svchost.com 2532 AC2065~1.EXE 2448 svchost.com 2340 AC2065~1.EXE 1936 svchost.com 1568 AC2065~1.EXE 2484 svchost.com 324 AC2065~1.EXE 920 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2928 svchost.com 2928 svchost.com 2740 svchost.com 2740 svchost.com 2404 svchost.com 2404 svchost.com 592 svchost.com 592 svchost.com 1340 svchost.com 1340 svchost.com 1756 svchost.com 1756 svchost.com 2112 svchost.com 2112 svchost.com 1688 svchost.com 1688 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 1092 svchost.com 1092 svchost.com 2188 svchost.com 2188 svchost.com 2292 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2292 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 108 svchost.com 108 svchost.com 2296 svchost.com 2296 svchost.com 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 3028 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 3028 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 964 svchost.com 964 svchost.com 2724 svchost.com 2724 svchost.com 2664 svchost.com 2664 svchost.com 2640 svchost.com 2640 svchost.com 1916 svchost.com 1916 svchost.com 276 svchost.com 276 svchost.com 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 2168 svchost.com 2168 svchost.com 2216 svchost.com 2216 svchost.com 2408 svchost.com 2408 svchost.com 1952 svchost.com 1952 svchost.com 1276 svchost.com 1276 svchost.com 1416 svchost.com 1416 svchost.com 1084 svchost.com 1084 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe File opened for modification C:\Windows\svchost.com AC2065~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys AC2065~1.EXE File opened for modification C:\Windows\svchost.com AC2065~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AC2065~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2792 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 30 PID 2184 wrote to memory of 2792 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 30 PID 2184 wrote to memory of 2792 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 30 PID 2184 wrote to memory of 2792 2184 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 30 PID 2792 wrote to memory of 2928 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 31 PID 2792 wrote to memory of 2928 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 31 PID 2792 wrote to memory of 2928 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 31 PID 2792 wrote to memory of 2928 2792 ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe 31 PID 2928 wrote to memory of 2880 2928 svchost.com 32 PID 2928 wrote to memory of 2880 2928 svchost.com 32 PID 2928 wrote to memory of 2880 2928 svchost.com 32 PID 2928 wrote to memory of 2880 2928 svchost.com 32 PID 2880 wrote to memory of 2740 2880 AC2065~1.EXE 33 PID 2880 wrote to memory of 2740 2880 AC2065~1.EXE 33 PID 2880 wrote to memory of 2740 2880 AC2065~1.EXE 33 PID 2880 wrote to memory of 2740 2880 AC2065~1.EXE 33 PID 2740 wrote to memory of 2592 2740 svchost.com 34 PID 2740 wrote to memory of 2592 2740 svchost.com 34 PID 2740 wrote to memory of 2592 2740 svchost.com 34 PID 2740 wrote to memory of 2592 2740 svchost.com 34 PID 2592 wrote to memory of 2404 2592 AC2065~1.EXE 35 PID 2592 wrote to memory of 2404 2592 AC2065~1.EXE 35 PID 2592 wrote to memory of 2404 2592 AC2065~1.EXE 35 PID 2592 wrote to memory of 2404 2592 AC2065~1.EXE 35 PID 2404 wrote to memory of 3024 2404 svchost.com 36 PID 2404 wrote to memory of 3024 2404 svchost.com 36 PID 2404 wrote to memory of 3024 2404 svchost.com 36 PID 2404 wrote to memory of 3024 2404 svchost.com 36 PID 3024 wrote to memory of 592 3024 AC2065~1.EXE 37 PID 3024 wrote to memory of 592 3024 AC2065~1.EXE 37 PID 3024 wrote to memory of 592 3024 AC2065~1.EXE 37 PID 3024 wrote to memory of 592 3024 AC2065~1.EXE 37 PID 592 wrote to memory of 1532 592 svchost.com 38 PID 592 wrote to memory of 1532 592 svchost.com 38 PID 592 wrote to memory of 1532 592 svchost.com 38 PID 592 wrote to memory of 1532 592 svchost.com 38 PID 1532 wrote to memory of 1340 1532 AC2065~1.EXE 39 PID 1532 wrote to memory of 1340 1532 AC2065~1.EXE 39 PID 1532 wrote to memory of 1340 1532 AC2065~1.EXE 39 PID 1532 wrote to memory of 1340 1532 AC2065~1.EXE 39 PID 1340 wrote to memory of 2028 1340 svchost.com 40 PID 1340 wrote to memory of 2028 1340 svchost.com 40 PID 1340 wrote to memory of 2028 1340 svchost.com 40 PID 1340 wrote to memory of 2028 1340 svchost.com 40 PID 2028 wrote to memory of 1756 2028 AC2065~1.EXE 41 PID 2028 wrote to memory of 1756 2028 AC2065~1.EXE 41 PID 2028 wrote to memory of 1756 2028 AC2065~1.EXE 41 PID 2028 wrote to memory of 1756 2028 AC2065~1.EXE 41 PID 1756 wrote to memory of 2636 1756 svchost.com 42 PID 1756 wrote to memory of 2636 1756 svchost.com 42 PID 1756 wrote to memory of 2636 1756 svchost.com 42 PID 1756 wrote to memory of 2636 1756 svchost.com 42 PID 2636 wrote to memory of 2112 2636 AC2065~1.EXE 43 PID 2636 wrote to memory of 2112 2636 AC2065~1.EXE 43 PID 2636 wrote to memory of 2112 2636 AC2065~1.EXE 43 PID 2636 wrote to memory of 2112 2636 AC2065~1.EXE 43 PID 2112 wrote to memory of 2384 2112 svchost.com 44 PID 2112 wrote to memory of 2384 2112 svchost.com 44 PID 2112 wrote to memory of 2384 2112 svchost.com 44 PID 2112 wrote to memory of 2384 2112 svchost.com 44 PID 2384 wrote to memory of 1688 2384 AC2065~1.EXE 45 PID 2384 wrote to memory of 1688 2384 AC2065~1.EXE 45 PID 2384 wrote to memory of 1688 2384 AC2065~1.EXE 45 PID 2384 wrote to memory of 1688 2384 AC2065~1.EXE 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe"C:\Users\Admin\AppData\Local\Temp\ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\ac2065c5494f8d70f6bed6cf233888325913b816b9ca2d5daefef2698d428182N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE20⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE24⤵
- Executes dropped EXE
PID:852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE28⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE30⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE38⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE40⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE42⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1236 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE48⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE50⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE52⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE54⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"57⤵
- Executes dropped EXE
PID:604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE58⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"59⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"61⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE62⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"63⤵
- Executes dropped EXE
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE64⤵
- Executes dropped EXE
PID:324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"65⤵
- Executes dropped EXE
PID:920 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE66⤵PID:1960
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"67⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE68⤵PID:1176
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"69⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE70⤵PID:1380
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"71⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE72⤵PID:2504
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"73⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE74⤵PID:908
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"75⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE76⤵PID:1524
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"77⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE78⤵PID:2756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"79⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE80⤵PID:2596
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"81⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE82⤵PID:2892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"83⤵
- Drops file in Windows directory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE84⤵PID:2652
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"85⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE86⤵PID:1488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"87⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE88⤵PID:2940
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"89⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE90⤵PID:276
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"91⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE92⤵PID:1956
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"93⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE94⤵PID:2204
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"95⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE96⤵PID:2560
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"97⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE98⤵PID:1920
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"99⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE100⤵PID:1636
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE102⤵PID:1416
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"103⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE104⤵PID:1124
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"105⤵
- Drops file in Windows directory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE106⤵PID:3064
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"107⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE108⤵PID:2092
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"109⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE110⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"111⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE112⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"113⤵
- Drops file in Windows directory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE114⤵PID:272
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"115⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE116⤵PID:2976
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"117⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE118⤵PID:1996
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"119⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE120⤵PID:2068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AC2065~1.EXE"121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-