neshta | c8b3a6a31e269ce08dc162a54b1e1f6dd20a05bad4af627a50a9a4931830ad8b

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order SL2401-545.exe
Size

818KB
MD5

23e6c75cd60aae58526c9bd734324ddf
SHA1

c6a8abd742fe2cd2eeefe2a0ee5d55b28120684c
SHA256

61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e
SHA512

3746d9803a01c5701f944a3197c57f96a56e9b6f4ea2c0da20f5be4a8f4a6e89f86214110baea3762b29c43af8b64331d5c3ebf6583aa949f8ce9db07c27ce31
SSDEEP

24576:Z3tCNVECr4YOprbXj64us/OboCCk8C0CaV2j:Z9CNZyprbXG4ujo5k8C0bVI

Score

10^/10

neshta discovery execution persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1240	powershell.exe
700	powershell.exe
2020	powershell.exe
2784	powershell.exe
1044	powershell.exe
2436	powershell.exe
2904	powershell.exe
936	powershell.exe
2736	powershell.exe
3012	powershell.exe
2348	powershell.exe
1272	powershell.exe
2884	powershell.exe
1800	powershell.exe
3056	powershell.exe
1516	powershell.exe
1564	powershell.exe
3060	powershell.exe

Executes dropped EXE 57 IoCs

pid	Process
1944	order SL2401-545.exe
2632	svchost.com
2788	svchost.com
1232	svchost.com
1840	order SL2401-545.exe
1436	svchost.com
2240	ORDERS~1.EXE
1960	svchost.com
1596	svchost.com
2452	svchost.com
2232	ORDERS~1.EXE
1392	ORDERS~1.EXE
700	svchost.com
2684	ORDERS~1.EXE
2856	svchost.com
2644	svchost.com
1588	svchost.com
2504	ORDERS~1.EXE
2944	svchost.com
3048	ORDERS~1.EXE
1308	svchost.com
448	svchost.com
2260	svchost.com
1000	ORDERS~1.EXE
1052	svchost.com
1768	ORDERS~1.EXE
1392	svchost.com
2676	svchost.com
2648	svchost.com
2860	ORDERS~1.EXE
1328	svchost.com
1324	ORDERS~1.EXE
2012	svchost.com
688	svchost.com
2916	svchost.com
2788	ORDERS~1.EXE
2876	svchost.com
1500	ORDERS~1.EXE
1628	svchost.com
3048	svchost.com
1548	svchost.com
596	ORDERS~1.EXE
2636	svchost.com
932	ORDERS~1.EXE
112	svchost.com
2464	svchost.com
852	svchost.com
1644	ORDERS~1.EXE
348	svchost.com
2972	ORDERS~1.EXE
2632	svchost.com
2504	svchost.com
2284	svchost.com
1896	ORDERS~1.EXE
2500	ORDERS~1.EXE
1596	svchost.com
1932	ORDERS~1.EXE

Loads dropped DLL 44 IoCs

pid	Process
2336	order SL2401-545.exe
2336	order SL2401-545.exe
1944	order SL2401-545.exe
1840	order SL2401-545.exe
1436	svchost.com
2452	svchost.com
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
1392	ORDERS~1.EXE
700	svchost.com
1588	svchost.com
2684	ORDERS~1.EXE
2504	ORDERS~1.EXE
2944	svchost.com
448	svchost.com
2260	svchost.com
3048	ORDERS~1.EXE
1000	ORDERS~1.EXE
1052	svchost.com
2676	svchost.com
2648	svchost.com
1768	ORDERS~1.EXE
2860	ORDERS~1.EXE
1328	svchost.com
688	svchost.com
2916	svchost.com
1324	ORDERS~1.EXE
2788	ORDERS~1.EXE
2876	svchost.com
3048	svchost.com
1548	svchost.com
1500	ORDERS~1.EXE
596	ORDERS~1.EXE
2636	svchost.com
852	svchost.com
932	ORDERS~1.EXE
1644	ORDERS~1.EXE
348	svchost.com
2504	svchost.com
2284	svchost.com
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2500	ORDERS~1.EXE
1596	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	order SL2401-545.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1840	1944	order SL2401-545.exe	40
PID 2240 set thread context of 1392	2240	ORDERS~1.EXE	54
PID 2684 set thread context of 2504	2684	ORDERS~1.EXE	65
PID 3048 set thread context of 1000	3048	ORDERS~1.EXE	77
PID 1768 set thread context of 2860	1768	ORDERS~1.EXE	90
PID 1324 set thread context of 2788	1324	ORDERS~1.EXE	102
PID 1500 set thread context of 596	1500	ORDERS~1.EXE	113
PID 932 set thread context of 1644	932	ORDERS~1.EXE	124
PID 2972 set thread context of 2500	2972	ORDERS~1.EXE	139

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	order SL2401-545.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	order SL2401-545.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	ORDERS~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	order SL2401-545.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	ORDERS~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	ORDERS~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	order SL2401-545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	order SL2401-545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	order SL2401-545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	order SL2401-545.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2148	schtasks.exe
2016	schtasks.exe
2912	schtasks.exe
2720	schtasks.exe
2760	schtasks.exe
936	schtasks.exe
2180	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1944	order SL2401-545.exe
1944	order SL2401-545.exe
1944	order SL2401-545.exe
1944	order SL2401-545.exe
2904	powershell.exe
2884	powershell.exe
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
2240	ORDERS~1.EXE
936	powershell.exe
1800	powershell.exe
2684	ORDERS~1.EXE
2684	ORDERS~1.EXE
2684	ORDERS~1.EXE
2684	ORDERS~1.EXE
1240	powershell.exe
2348	powershell.exe
3048	ORDERS~1.EXE
3048	ORDERS~1.EXE
3048	ORDERS~1.EXE
3048	ORDERS~1.EXE
1564	powershell.exe
3060	powershell.exe
1768	ORDERS~1.EXE
1768	ORDERS~1.EXE
1768	ORDERS~1.EXE
1768	ORDERS~1.EXE
2736	powershell.exe
700	powershell.exe
1324	ORDERS~1.EXE
1324	ORDERS~1.EXE
1324	ORDERS~1.EXE
1324	ORDERS~1.EXE
3056	powershell.exe
2020	powershell.exe
1500	ORDERS~1.EXE
1500	ORDERS~1.EXE
1500	ORDERS~1.EXE
1500	ORDERS~1.EXE
1272	powershell.exe
3012	powershell.exe
932	ORDERS~1.EXE
932	ORDERS~1.EXE
932	ORDERS~1.EXE
932	ORDERS~1.EXE
2784	powershell.exe
1044	powershell.exe
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2972	ORDERS~1.EXE
2436	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	order SL2401-545.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2240	ORDERS~1.EXE
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2684	ORDERS~1.EXE
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	3048	ORDERS~1.EXE
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1768	ORDERS~1.EXE
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1324	ORDERS~1.EXE
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1500	ORDERS~1.EXE
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	932	ORDERS~1.EXE
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2972	ORDERS~1.EXE
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1944	2336	order SL2401-545.exe	30
PID 2336 wrote to memory of 1944	2336	order SL2401-545.exe	30
PID 2336 wrote to memory of 1944	2336	order SL2401-545.exe	30
PID 2336 wrote to memory of 1944	2336	order SL2401-545.exe	30
PID 1944 wrote to memory of 2632	1944	order SL2401-545.exe	32
PID 1944 wrote to memory of 2632	1944	order SL2401-545.exe	32
PID 1944 wrote to memory of 2632	1944	order SL2401-545.exe	32
PID 1944 wrote to memory of 2632	1944	order SL2401-545.exe	32
PID 2632 wrote to memory of 2884	2632	svchost.com	33
PID 2632 wrote to memory of 2884	2632	svchost.com	33
PID 2632 wrote to memory of 2884	2632	svchost.com	33
PID 2632 wrote to memory of 2884	2632	svchost.com	33
PID 1944 wrote to memory of 2788	1944	order SL2401-545.exe	35
PID 1944 wrote to memory of 2788	1944	order SL2401-545.exe	35
PID 1944 wrote to memory of 2788	1944	order SL2401-545.exe	35
PID 1944 wrote to memory of 2788	1944	order SL2401-545.exe	35
PID 1944 wrote to memory of 1232	1944	order SL2401-545.exe	36
PID 1944 wrote to memory of 1232	1944	order SL2401-545.exe	36
PID 1944 wrote to memory of 1232	1944	order SL2401-545.exe	36
PID 1944 wrote to memory of 1232	1944	order SL2401-545.exe	36
PID 1232 wrote to memory of 2772	1232	svchost.com	37
PID 1232 wrote to memory of 2772	1232	svchost.com	37
PID 1232 wrote to memory of 2772	1232	svchost.com	37
PID 1232 wrote to memory of 2772	1232	svchost.com	37
PID 2788 wrote to memory of 2904	2788	svchost.com	38
PID 2788 wrote to memory of 2904	2788	svchost.com	38
PID 2788 wrote to memory of 2904	2788	svchost.com	38
PID 2788 wrote to memory of 2904	2788	svchost.com	38
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1944 wrote to memory of 1840	1944	order SL2401-545.exe	40
PID 1840 wrote to memory of 1436	1840	order SL2401-545.exe	42
PID 1840 wrote to memory of 1436	1840	order SL2401-545.exe	42
PID 1840 wrote to memory of 1436	1840	order SL2401-545.exe	42
PID 1840 wrote to memory of 1436	1840	order SL2401-545.exe	42
PID 1436 wrote to memory of 2240	1436	svchost.com	43
PID 1436 wrote to memory of 2240	1436	svchost.com	43
PID 1436 wrote to memory of 2240	1436	svchost.com	43
PID 1436 wrote to memory of 2240	1436	svchost.com	43
PID 2240 wrote to memory of 1960	2240	ORDERS~1.EXE	44
PID 2240 wrote to memory of 1960	2240	ORDERS~1.EXE	44
PID 2240 wrote to memory of 1960	2240	ORDERS~1.EXE	44
PID 2240 wrote to memory of 1960	2240	ORDERS~1.EXE	44
PID 2240 wrote to memory of 1596	2240	ORDERS~1.EXE	46
PID 2240 wrote to memory of 1596	2240	ORDERS~1.EXE	46
PID 2240 wrote to memory of 1596	2240	ORDERS~1.EXE	46
PID 2240 wrote to memory of 1596	2240	ORDERS~1.EXE	46
PID 1960 wrote to memory of 936	1960	svchost.com	45
PID 1960 wrote to memory of 936	1960	svchost.com	45
PID 1960 wrote to memory of 936	1960	svchost.com	45
PID 1960 wrote to memory of 936	1960	svchost.com	45
PID 2240 wrote to memory of 2452	2240	ORDERS~1.EXE	49
PID 2240 wrote to memory of 2452	2240	ORDERS~1.EXE	49
PID 2240 wrote to memory of 2452	2240	ORDERS~1.EXE	49
PID 2240 wrote to memory of 2452	2240	ORDERS~1.EXE	49

C:\Users\Admin\AppData\Local\Temp\order SL2401-545.exe
"C:\Users\Admin\AppData\Local\Temp\order SL2401-545.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF190.tmp"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpF190.tmp
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F6A.tmp"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp2F6A.tmp
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        6⤵
        Executes dropped EXE
        
        PID:2232
      - C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        9⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        10⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CD7.tmp"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp6CD7.tmp
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9F5.tmp"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpA9F5.tmp
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        16⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1392
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        16⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp
        16⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2012
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        19⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp
        19⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        22⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6097.tmp"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp6097.tmp
        22⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        25⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        25⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmp"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:852
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmp
        25⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        28⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA39.tmp"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpDA39.tmp
        28⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\ORDERS~1.EXE
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
5cfdd1a5a9e04a9b1a583edb92d1a9d2

SHA1
eca7121ca88123926f33263dadf7c42435ca792f

SHA256
e50f6275369a7a561f3fe6c4e26dd8710af601bd3527ac14c2f26f84f492c35f

SHA512
2f90765c22c4bf88d0c4a1a721ef2bf8113a53e30df64d9e3bfdc49b279fe99c91a319b1c16ec1fe5ed814efcd81eb06ed2f18ef5e46148c80c959bdd4aeebd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp

Filesize
1KB

MD5
10327465f761be650af2f3ec9893ae79

SHA1
bfb164b4bda916770e870f3b9e6787919ec5527d

SHA256
9e1841a9b40b1eed4f614017d7341784046ccf1e4cd4b57ee24942eb2cd1d6a8

SHA512
7a4ad86c6706dfc913bc195d38853d757a073acd831aed4461e09cc2f80733664115aee7c157cce51f828a19eb1c40bed6074229cdecca6e66166ad8d3c9aec5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1L1LPTFV5QTVQZJPNMML.temp

Filesize
7KB

MD5
fef0cc3cca8cf72c640d872daacf94fb

SHA1
287cf4c2819ed4f05b41bf543b5fd3c6367dd1d4

SHA256
e704ddaff3a8ebc73cbc8894cebd6ccbdf154a4ccb27d1687c892754d29328c2

SHA512
cf09325f8b24ab3c69af895520ef06f53bd9adb444d107c4f275ee4f92fabd5b783310125c520db9be80314b03a528a71c1a3b3ce450b2e97daf61599f564b8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2e183204979d8ec1236918be58e9c9d5

SHA1
cbe6b8c1ae1d512b97b4f013a1f1f64cb9bb329e

SHA256
dbda1302c200e4756840f356fc35a40ea615a9ca610a994f1e8a5b4996ed7198

SHA512
0acf10b293df0296db6755d8732a489c46b917f393ecdcffceb8932d4bff07d4e48109e254b27df4e6d753367843d6ab541034834494f67836ad6716540d0a4b

Download Submit
C:\Windows\directx.sys

Filesize
115B

MD5
7f0450c020d2f987fc87cf13e36e8c3a

SHA1
65e0f57e51f701ebdb78d76497531b8058ba8160

SHA256
fdca01dca3fff14dd5e23e0446372352a43e71eba57b9592e2331020dec4568e

SHA512
4b506c4e7f4b2cd73f0a1517819ddb7777e5813cb44f0d56e35139a389349744aea9d53d2a867d15fbe676db5a359ef1a6fd614221849bee49cc0afa9f1163d8

Download Submit
C:\Windows\directx.sys

Filesize
34B

MD5
7779b7aac555eb734d1d878a0dfce1e2

SHA1
4216e4f627f3933d918ae4b86683e205e630d3a5

SHA256
62263e548942d1b55bc1f1c79489ddf0fc111a11df3660b30e202a8472fc7331

SHA512
e9608bb14045f4789c367771fd2a043a13e9732dd3daa4bd41bed753f46d9e0334d4af9bff59a755e8511988dea3b3a88f887940a09668eff07eb7e4b2ad209b

Download Submit
C:\Windows\directx.sys

Filesize
99B

MD5
20dd9868b9ae8ac65bab31b5650890b0

SHA1
6aa5309826f48d575489ed546bfd17c80a3aa02d

SHA256
7fbb99a259c044e8bbf6b4662eb79703b3fce7f12bc7f0f069469a7778bcc347

SHA512
ed2b0ef383851a5cff3796c63b189745d35b4763016fe8aa229bacfdd89e15525056503a4db339aa3437d88b8d8608ba1755ca563686eb56deacb16375df7480

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6ded9988f985328465d67db50951e063

SHA1
89e6170493fd22ddde5837ef96cfc550e33eddb7

SHA256
af4ac52f67dfc48ebd60160fb96a290530547928a99654954ee0b06d5139962f

SHA512
2e361b91178aa8f068645c3ac9f2da1415d428d2c968e1549ba57793797d6a9413e5f1261f2009e16812fa458b3f04f1be37504c6bc91dccc93074ccedb42499

Download Submit
C:\Windows\directx.sys

Filesize
107B

MD5
2d04efc31a91cf2b10f88540b59eb87b

SHA1
d9f92cc16c569d4eb4d0a867cfdc8858cc4a96b4

SHA256
2a306013775e75c8adc7cc8fd01c688b9ba2b7ba6ed3e6de62c15a54216b271c

SHA512
f3444aa6279f72072ee998e1ab5b1e703e9f0fb4989312dfa6f70615f65405587c9a90a3ee2369bc442c57d3b4f0d5cb97a2a54abb2c778044463a86e9af212a

Download Submit
C:\Windows\directx.sys

Filesize
83B

MD5
eeeb45e7168435a05021519dece54ce3

SHA1
df05ed8dc583d17b54cf270dbbbbe36937769941

SHA256
b6063fa83cf0d842cf1a0fa2f30dd20d638b4b380cf351534b82cef9e14be9ac

SHA512
538218614b1f8b3f6b6244857b8271687b7e9036f1ab1bd489fff92782674522c43bc312989d4ac3e58f5d335cdda8c0d898a4bb9630d1c5a467e38f332fb501

Download Submit
C:\Windows\directx.sys

Filesize
156B

MD5
b18eb7b730a2eab4b834d1f86b35790c

SHA1
3c0118f359466c6738d624b471f95558d0bbb409

SHA256
713d1707c7be2e4d0f4718eb693b3a288c67d730c31f34ab9f39cbfde01d0121

SHA512
8ea00a1d6512a2ba975c4b13e7124245d6cabe9f347cc881eab09f16ee707f69c6902a1ca3beb4ba2437660cb3b464dd251eb2a876d6aade226a83fd0551b4bb

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\order SL2401-545.exe

Filesize
777KB

MD5
fd151dbc522da341d7c5540e6a90d624

SHA1
4fe3c3f08021ce65120246b0428ad5fafe001d6e

SHA256
bc984064d01424dfd6a7c530a1927fe5e3fd3c659988ccd503c3fbfd99462a3f

SHA512
3c3356f1f59235cdcb720939aad4b87939778695d9b9cf2ed1d0d31844a50844bf984a9d1b3f7c15af25286e55f0102f1826b19315eb79a65423942e8431eaed

Download Submit
memory/700-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/932-542-0x0000000000D90000-0x0000000000E58000-memory.dmp

Filesize
800KB

Download
memory/1232-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1324-435-0x0000000000CC0000-0x0000000000D88000-memory.dmp

Filesize
800KB

Download
memory/1436-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1500-492-0x0000000000D90000-0x0000000000E58000-memory.dmp

Filesize
800KB

Download
memory/1500-494-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/1588-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1596-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1840-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1932-667-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/1932-657-0x00000000001F0000-0x00000000002B8000-memory.dmp

Filesize
800KB

Download
memory/1944-92-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1944-14-0x0000000000B80000-0x0000000000C48000-memory.dmp

Filesize
800KB

Download
memory/1944-93-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/1944-89-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1944-149-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-22-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/1944-15-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-94-0x0000000005420000-0x00000000054AE000-memory.dmp

Filesize
568KB

Download
memory/1944-91-0x0000000074740000-0x0000000074E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-13-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1960-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2240-170-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2336-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2972-603-0x0000000000070000-0x0000000000138000-memory.dmp

Filesize
800KB

Download
memory/2972-609-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3048-313-0x0000000000B80000-0x0000000000C48000-memory.dmp

Filesize
800KB

Download