Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/11/2024, 11:52
Behavioral task
behavioral1
Sample
caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe
-
Size
1.9MB
-
MD5
e9e2bd7b71ead316297deec1dfa509d0
-
SHA1
a1da22feb74aaae637d30e2952cd9fbc4f2ab077
-
SHA256
caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585
-
SHA512
df157496aff0d938fd7131f3e974bab7b8fd5f30f7973ba1718514e30c3363acc9b330fd051418d121110b5a5eaed73cbff1834f5d270adda9ae1f42fabec07d
-
SSDEEP
49152:yF8yYzJ8dvzIY/pZ/qhFcSyIdag187i6tuMCx0wssluF:08yxdpcOShdag56cMCx02lu
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016d0c-2.dat family_neshta behavioral1/files/0x0008000000016d1f-20.dat family_neshta behavioral1/files/0x0001000000010318-19.dat family_neshta behavioral1/files/0x0001000000010316-18.dat family_neshta behavioral1/files/0x001400000000f842-17.dat family_neshta behavioral1/files/0x005b00000001032b-16.dat family_neshta behavioral1/memory/1108-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2804-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1224-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/340-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1980-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2228-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1380-99-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2068-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2704-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1040-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/652-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2976-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2588-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2204-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7dd-146.dat family_neshta behavioral1/memory/1476-163-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1944-181-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1096-180-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2288-194-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1488-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1112-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1128-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1920-240-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2344-241-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2024-226-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/916-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2400-264-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2616-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1956-164-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2924-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2628-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/588-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2168-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2652-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2040-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1572-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/112-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/652-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1616-127-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2548-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2384-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/608-57-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2984-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1976-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1932-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1820-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2184-361-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2976-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1968-370-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1748-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-377-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2264-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1596-385-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2804 svchost.com 1108 CAAE2C~1.EXE 1224 svchost.com 340 CAAE2C~1.EXE 2408 svchost.com 608 CAAE2C~1.EXE 1040 svchost.com 652 CAAE2C~1.EXE 2068 svchost.com 2704 CAAE2C~1.EXE 1980 svchost.com 1380 CAAE2C~1.EXE 2880 svchost.com 2228 CAAE2C~1.EXE 2976 svchost.com 1616 CAAE2C~1.EXE 2588 svchost.com 2204 CAAE2C~1.EXE 1956 svchost.com 1476 CAAE2C~1.EXE 1944 svchost.com 1096 CAAE2C~1.EXE 2016 svchost.com 2288 CAAE2C~1.EXE 1488 svchost.com 1112 CAAE2C~1.EXE 1128 svchost.com 2024 CAAE2C~1.EXE 2344 svchost.com 1920 CAAE2C~1.EXE 916 svchost.com 2400 CAAE2C~1.EXE 2616 svchost.com 2636 CAAE2C~1.EXE 2924 svchost.com 2628 CAAE2C~1.EXE 2440 svchost.com 588 CAAE2C~1.EXE 2168 svchost.com 2652 CAAE2C~1.EXE 2040 svchost.com 1572 CAAE2C~1.EXE 112 svchost.com 652 CAAE2C~1.EXE 2548 svchost.com 2384 CAAE2C~1.EXE 2984 svchost.com 1976 CAAE2C~1.EXE 1820 svchost.com 1932 CAAE2C~1.EXE 2976 svchost.com 2184 CAAE2C~1.EXE 1968 svchost.com 1748 CAAE2C~1.EXE 2256 svchost.com 2264 CAAE2C~1.EXE 1596 svchost.com 2132 CAAE2C~1.EXE 1532 svchost.com 376 CAAE2C~1.EXE 2348 svchost.com 2212 CAAE2C~1.EXE 1564 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2804 svchost.com 2804 svchost.com 1224 svchost.com 1224 svchost.com 2408 svchost.com 2408 svchost.com 1040 svchost.com 1040 svchost.com 2068 svchost.com 2068 svchost.com 1980 svchost.com 1980 svchost.com 2880 svchost.com 2880 svchost.com 2976 svchost.com 2976 svchost.com 2588 svchost.com 2588 svchost.com 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 1956 svchost.com 1956 svchost.com 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 1944 svchost.com 1944 svchost.com 2016 svchost.com 2016 svchost.com 1488 svchost.com 1488 svchost.com 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 1128 svchost.com 1128 svchost.com 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2344 svchost.com 2344 svchost.com 916 svchost.com 916 svchost.com 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 2616 svchost.com 2616 svchost.com 2924 svchost.com 2924 svchost.com 2440 svchost.com 2440 svchost.com 2168 svchost.com 2168 svchost.com 2040 svchost.com 2040 svchost.com 112 svchost.com 112 svchost.com 2548 svchost.com 2548 svchost.com 2984 svchost.com 2984 svchost.com 1820 svchost.com 1820 svchost.com 2976 svchost.com 2976 svchost.com 1968 svchost.com 1968 svchost.com 2256 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com CAAE2C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAE2C~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2852 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 30 PID 2764 wrote to memory of 2852 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 30 PID 2764 wrote to memory of 2852 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 30 PID 2764 wrote to memory of 2852 2764 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 30 PID 2852 wrote to memory of 2804 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 31 PID 2852 wrote to memory of 2804 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 31 PID 2852 wrote to memory of 2804 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 31 PID 2852 wrote to memory of 2804 2852 caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe 31 PID 2804 wrote to memory of 1108 2804 svchost.com 32 PID 2804 wrote to memory of 1108 2804 svchost.com 32 PID 2804 wrote to memory of 1108 2804 svchost.com 32 PID 2804 wrote to memory of 1108 2804 svchost.com 32 PID 1108 wrote to memory of 1224 1108 CAAE2C~1.EXE 33 PID 1108 wrote to memory of 1224 1108 CAAE2C~1.EXE 33 PID 1108 wrote to memory of 1224 1108 CAAE2C~1.EXE 33 PID 1108 wrote to memory of 1224 1108 CAAE2C~1.EXE 33 PID 1224 wrote to memory of 340 1224 svchost.com 34 PID 1224 wrote to memory of 340 1224 svchost.com 34 PID 1224 wrote to memory of 340 1224 svchost.com 34 PID 1224 wrote to memory of 340 1224 svchost.com 34 PID 340 wrote to memory of 2408 340 CAAE2C~1.EXE 35 PID 340 wrote to memory of 2408 340 CAAE2C~1.EXE 35 PID 340 wrote to memory of 2408 340 CAAE2C~1.EXE 35 PID 340 wrote to memory of 2408 340 CAAE2C~1.EXE 35 PID 2408 wrote to memory of 608 2408 svchost.com 122 PID 2408 wrote to memory of 608 2408 svchost.com 122 PID 2408 wrote to memory of 608 2408 svchost.com 122 PID 2408 wrote to memory of 608 2408 svchost.com 122 PID 608 wrote to memory of 1040 608 CAAE2C~1.EXE 37 PID 608 wrote to memory of 1040 608 CAAE2C~1.EXE 37 PID 608 wrote to memory of 1040 608 CAAE2C~1.EXE 37 PID 608 wrote to memory of 1040 608 CAAE2C~1.EXE 37 PID 1040 wrote to memory of 652 1040 svchost.com 74 PID 1040 wrote to memory of 652 1040 svchost.com 74 PID 1040 wrote to memory of 652 1040 svchost.com 74 PID 1040 wrote to memory of 652 1040 svchost.com 74 PID 652 wrote to memory of 2068 652 CAAE2C~1.EXE 39 PID 652 wrote to memory of 2068 652 CAAE2C~1.EXE 39 PID 652 wrote to memory of 2068 652 CAAE2C~1.EXE 39 PID 652 wrote to memory of 2068 652 CAAE2C~1.EXE 39 PID 2068 wrote to memory of 2704 2068 svchost.com 40 PID 2068 wrote to memory of 2704 2068 svchost.com 40 PID 2068 wrote to memory of 2704 2068 svchost.com 40 PID 2068 wrote to memory of 2704 2068 svchost.com 40 PID 2704 wrote to memory of 1980 2704 CAAE2C~1.EXE 41 PID 2704 wrote to memory of 1980 2704 CAAE2C~1.EXE 41 PID 2704 wrote to memory of 1980 2704 CAAE2C~1.EXE 41 PID 2704 wrote to memory of 1980 2704 CAAE2C~1.EXE 41 PID 1980 wrote to memory of 1380 1980 svchost.com 131 PID 1980 wrote to memory of 1380 1980 svchost.com 131 PID 1980 wrote to memory of 1380 1980 svchost.com 131 PID 1980 wrote to memory of 1380 1980 svchost.com 131 PID 1380 wrote to memory of 2880 1380 CAAE2C~1.EXE 124 PID 1380 wrote to memory of 2880 1380 CAAE2C~1.EXE 124 PID 1380 wrote to memory of 2880 1380 CAAE2C~1.EXE 124 PID 1380 wrote to memory of 2880 1380 CAAE2C~1.EXE 124 PID 2880 wrote to memory of 2228 2880 svchost.com 44 PID 2880 wrote to memory of 2228 2880 svchost.com 44 PID 2880 wrote to memory of 2228 2880 svchost.com 44 PID 2880 wrote to memory of 2228 2880 svchost.com 44 PID 2228 wrote to memory of 2976 2228 CAAE2C~1.EXE 81 PID 2228 wrote to memory of 2976 2228 CAAE2C~1.EXE 81 PID 2228 wrote to memory of 2976 2228 CAAE2C~1.EXE 81 PID 2228 wrote to memory of 2976 2228 CAAE2C~1.EXE 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe"C:\Users\Admin\AppData\Local\Temp\caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\caae2c684550b70dca257d6b5d8bd8aa5adda314979655eb46f1b453b7b51585N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE18⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE24⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE28⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE30⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE32⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE36⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE40⤵
- Executes dropped EXE
PID:588 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE42⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE48⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE50⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE54⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE56⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE58⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"59⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE60⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"61⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE62⤵
- Executes dropped EXE
PID:376 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"63⤵
- Executes dropped EXE
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE64⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"65⤵
- Executes dropped EXE
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE66⤵PID:2036
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"67⤵
- Drops file in Windows directory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE68⤵PID:892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"69⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE70⤵PID:1940
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"71⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE72⤵PID:2392
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"73⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE74⤵PID:1892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE76⤵PID:2552
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"77⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE78⤵PID:2712
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"79⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE80⤵PID:1544
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"81⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE82⤵PID:2724
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"83⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE84⤵PID:2720
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"85⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE86⤵
- Drops file in Windows directory
PID:2612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"87⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE88⤵PID:536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"89⤵PID:596
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE90⤵PID:896
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"91⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE92⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"93⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE94⤵PID:608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"95⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE96⤵PID:2880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"97⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE98⤵PID:2952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"99⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE100⤵PID:1884
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE102⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"103⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE104⤵PID:3028
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"105⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE106⤵PID:2224
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"107⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE108⤵PID:2268
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"109⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE110⤵PID:1688
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"111⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE112⤵PID:1424
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"113⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE114⤵PID:1660
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"115⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE116⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"117⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE118⤵PID:1564
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"119⤵
- Drops file in Windows directory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE120⤵PID:892
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAAE2C~1.EXE"121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-