Analysis
-
max time kernel
32s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:15
Behavioral task
behavioral1
Sample
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
Resource
win10v2004-20241007-en
General
-
Target
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
-
Size
690KB
-
MD5
3d872168b893d37c180a68acfabaad80
-
SHA1
1fbb3603a183fe74f7be28e32a40b9a8e33a04bc
-
SHA256
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478
-
SHA512
bd09b153f243edabbb67b0f83cc67b3d2f520d26abbf22dff45648d0459f940cecb3e466e7bb0b157d717bd9c305496bb4ddba823f7d468f4bbe14a8266a554b
-
SSDEEP
6144:k9raNZphkNF94GbhkNF94GEelGtD0j4Agj1Rv18i8WTm2vrgyU9N9:nHphkL/bhkL/vGtD9jHvqqU
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000015fe0-6.dat family_neshta behavioral1/files/0x00080000000161fb-14.dat family_neshta behavioral1/files/0x001400000001033a-13.dat family_neshta behavioral1/files/0x001700000000f7f7-16.dat family_neshta behavioral1/files/0x0001000000010312-19.dat family_neshta behavioral1/files/0x0001000000010314-28.dat family_neshta behavioral1/memory/2884-33-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-46-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2484-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2732-61-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-60-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1564-82-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1960-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2116-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1940-88-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2988-103-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2952-102-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3000-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2940-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1196-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7d6-142.dat family_neshta behavioral1/memory/3028-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2640-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1012-169-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1096-168-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1532-183-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/824-184-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1692-196-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1640-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1208-216-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2092-215-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1668-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2456-223-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1876-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2336-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2168-247-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1544-246-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/328-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1616-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2708-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2748-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1564-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2672-308-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2948-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2028-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1352-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1960-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2776-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2952-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-349-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2360-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3012-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3020-356-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1508-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2312-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2004-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/676-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-381-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2060-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1716-389-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2544 svchost.com 2884 A04E4F~1.EXE 2484 svchost.com 2808 A04E4F~1.EXE 2732 svchost.com 2636 A04E4F~1.EXE 1564 svchost.com 1960 A04E4F~1.EXE 2116 svchost.com 1940 A04E4F~1.EXE 2988 svchost.com 2952 A04E4F~1.EXE 3000 svchost.com 2940 A04E4F~1.EXE 2504 svchost.com 1196 A04E4F~1.EXE 3028 svchost.com 2640 A04E4F~1.EXE 1012 svchost.com 1096 A04E4F~1.EXE 824 svchost.com 1532 A04E4F~1.EXE 1692 svchost.com 1640 A04E4F~1.EXE 1208 svchost.com 2092 A04E4F~1.EXE 1668 svchost.com 2456 A04E4F~1.EXE 1876 svchost.com 2336 A04E4F~1.EXE 2168 svchost.com 1544 A04E4F~1.EXE 1616 svchost.com 328 A04E4F~1.EXE 2708 svchost.com 2748 A04E4F~1.EXE 2808 svchost.com 2636 A04E4F~1.EXE 2672 svchost.com 1564 A04E4F~1.EXE 2028 svchost.com 2948 A04E4F~1.EXE 1352 svchost.com 1960 A04E4F~1.EXE 2952 svchost.com 2776 A04E4F~1.EXE 1984 svchost.com 2360 A04E4F~1.EXE 3012 svchost.com 3020 A04E4F~1.EXE 1508 svchost.com 2312 A04E4F~1.EXE 2004 svchost.com 676 A04E4F~1.EXE 3064 svchost.com 2060 A04E4F~1.EXE 1716 svchost.com 956 A04E4F~1.EXE 600 svchost.com 1456 A04E4F~1.EXE 2260 svchost.com 1696 A04E4F~1.EXE 1824 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2544 svchost.com 2544 svchost.com 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2484 svchost.com 2484 svchost.com 2732 svchost.com 2732 svchost.com 1564 svchost.com 1564 svchost.com 2116 svchost.com 2116 svchost.com 2988 svchost.com 2988 svchost.com 3000 svchost.com 3000 svchost.com 2504 svchost.com 2504 svchost.com 3028 svchost.com 3028 svchost.com 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 1012 svchost.com 1012 svchost.com 824 svchost.com 824 svchost.com 1692 svchost.com 1692 svchost.com 1208 svchost.com 1208 svchost.com 1668 svchost.com 1668 svchost.com 1876 svchost.com 1876 svchost.com 2168 svchost.com 2168 svchost.com 1616 svchost.com 1616 svchost.com 2708 svchost.com 2708 svchost.com 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 2808 svchost.com 2808 svchost.com 2672 svchost.com 2672 svchost.com 2028 svchost.com 2028 svchost.com 1352 svchost.com 1352 svchost.com 2952 svchost.com 2952 svchost.com 1984 svchost.com 1984 svchost.com 3012 svchost.com 3012 svchost.com 1508 svchost.com 1508 svchost.com 2004 svchost.com 2004 svchost.com 3064 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2396 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 30 PID 2568 wrote to memory of 2396 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 30 PID 2568 wrote to memory of 2396 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 30 PID 2568 wrote to memory of 2396 2568 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 30 PID 2396 wrote to memory of 2544 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 31 PID 2396 wrote to memory of 2544 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 31 PID 2396 wrote to memory of 2544 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 31 PID 2396 wrote to memory of 2544 2396 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 31 PID 2544 wrote to memory of 2884 2544 svchost.com 32 PID 2544 wrote to memory of 2884 2544 svchost.com 32 PID 2544 wrote to memory of 2884 2544 svchost.com 32 PID 2544 wrote to memory of 2884 2544 svchost.com 32 PID 2884 wrote to memory of 2484 2884 A04E4F~1.EXE 33 PID 2884 wrote to memory of 2484 2884 A04E4F~1.EXE 33 PID 2884 wrote to memory of 2484 2884 A04E4F~1.EXE 33 PID 2884 wrote to memory of 2484 2884 A04E4F~1.EXE 33 PID 2484 wrote to memory of 2808 2484 svchost.com 67 PID 2484 wrote to memory of 2808 2484 svchost.com 67 PID 2484 wrote to memory of 2808 2484 svchost.com 67 PID 2484 wrote to memory of 2808 2484 svchost.com 67 PID 2808 wrote to memory of 2732 2808 A04E4F~1.EXE 35 PID 2808 wrote to memory of 2732 2808 A04E4F~1.EXE 35 PID 2808 wrote to memory of 2732 2808 A04E4F~1.EXE 35 PID 2808 wrote to memory of 2732 2808 A04E4F~1.EXE 35 PID 2732 wrote to memory of 2636 2732 svchost.com 68 PID 2732 wrote to memory of 2636 2732 svchost.com 68 PID 2732 wrote to memory of 2636 2732 svchost.com 68 PID 2732 wrote to memory of 2636 2732 svchost.com 68 PID 2636 wrote to memory of 1564 2636 A04E4F~1.EXE 115 PID 2636 wrote to memory of 1564 2636 A04E4F~1.EXE 115 PID 2636 wrote to memory of 1564 2636 A04E4F~1.EXE 115 PID 2636 wrote to memory of 1564 2636 A04E4F~1.EXE 115 PID 1564 wrote to memory of 1960 1564 svchost.com 74 PID 1564 wrote to memory of 1960 1564 svchost.com 74 PID 1564 wrote to memory of 1960 1564 svchost.com 74 PID 1564 wrote to memory of 1960 1564 svchost.com 74 PID 1960 wrote to memory of 2116 1960 A04E4F~1.EXE 39 PID 1960 wrote to memory of 2116 1960 A04E4F~1.EXE 39 PID 1960 wrote to memory of 2116 1960 A04E4F~1.EXE 39 PID 1960 wrote to memory of 2116 1960 A04E4F~1.EXE 39 PID 2116 wrote to memory of 1940 2116 svchost.com 116 PID 2116 wrote to memory of 1940 2116 svchost.com 116 PID 2116 wrote to memory of 1940 2116 svchost.com 116 PID 2116 wrote to memory of 1940 2116 svchost.com 116 PID 1940 wrote to memory of 2988 1940 A04E4F~1.EXE 119 PID 1940 wrote to memory of 2988 1940 A04E4F~1.EXE 119 PID 1940 wrote to memory of 2988 1940 A04E4F~1.EXE 119 PID 1940 wrote to memory of 2988 1940 A04E4F~1.EXE 119 PID 2988 wrote to memory of 2952 2988 svchost.com 75 PID 2988 wrote to memory of 2952 2988 svchost.com 75 PID 2988 wrote to memory of 2952 2988 svchost.com 75 PID 2988 wrote to memory of 2952 2988 svchost.com 75 PID 2952 wrote to memory of 3000 2952 A04E4F~1.EXE 43 PID 2952 wrote to memory of 3000 2952 A04E4F~1.EXE 43 PID 2952 wrote to memory of 3000 2952 A04E4F~1.EXE 43 PID 2952 wrote to memory of 3000 2952 A04E4F~1.EXE 43 PID 3000 wrote to memory of 2940 3000 svchost.com 44 PID 3000 wrote to memory of 2940 3000 svchost.com 44 PID 3000 wrote to memory of 2940 3000 svchost.com 44 PID 3000 wrote to memory of 2940 3000 svchost.com 44 PID 2940 wrote to memory of 2504 2940 A04E4F~1.EXE 45 PID 2940 wrote to memory of 2504 2940 A04E4F~1.EXE 45 PID 2940 wrote to memory of 2504 2940 A04E4F~1.EXE 45 PID 2940 wrote to memory of 2504 2940 A04E4F~1.EXE 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"C:\Users\Admin\AppData\Local\Temp\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE18⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE22⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE24⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE26⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE28⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE34⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE36⤵
- Executes dropped EXE
PID:328 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE38⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE40⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE44⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE46⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE48⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE50⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE52⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE54⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE56⤵
- Executes dropped EXE
PID:676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE58⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"59⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"61⤵
- Executes dropped EXE
PID:600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE62⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"63⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE64⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"65⤵
- Executes dropped EXE
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE66⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"67⤵
- Drops file in Windows directory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE68⤵PID:1468
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"69⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE70⤵PID:1668
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"71⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE72⤵PID:1560
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"73⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE74⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"75⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE76⤵PID:2108
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"77⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE78⤵PID:2292
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"79⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE80⤵PID:2484
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"81⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE82⤵PID:2756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"83⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE84⤵
- Drops file in Windows directory
PID:2652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"85⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE86⤵PID:2720
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE88⤵PID:1940
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"89⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE90⤵PID:1968
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"91⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE92⤵PID:1188
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"93⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE94⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"95⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE96⤵
- Drops file in Windows directory
PID:3036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"97⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE98⤵PID:2008
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"99⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE100⤵PID:1260
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"101⤵
- Drops file in Windows directory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE102⤵PID:2696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"103⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE104⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"105⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE106⤵PID:1280
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"107⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE108⤵
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"109⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE110⤵
- Drops file in Windows directory
PID:1684 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"111⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE112⤵PID:1680
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"113⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE114⤵
- Drops file in Windows directory
PID:1468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"115⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE116⤵PID:2480
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"117⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE118⤵PID:1612
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"119⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE120⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"121⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE122⤵PID:1616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-