Analysis
-
max time kernel
41s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 22:15
Behavioral task
behavioral1
Sample
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
Resource
win10v2004-20241007-en
General
-
Target
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe
-
Size
690KB
-
MD5
3d872168b893d37c180a68acfabaad80
-
SHA1
1fbb3603a183fe74f7be28e32a40b9a8e33a04bc
-
SHA256
a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478
-
SHA512
bd09b153f243edabbb67b0f83cc67b3d2f520d26abbf22dff45648d0459f940cecb3e466e7bb0b157d717bd9c305496bb4ddba823f7d468f4bbe14a8266a554b
-
SSDEEP
6144:k9raNZphkNF94GbhkNF94GEelGtD0j4Agj1Rv18i8WTm2vrgyU9N9:nHphkL/bhkL/vGtD9jHvqqU
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x000a000000023b9b-4.dat family_neshta behavioral2/files/0x000a000000023b9c-10.dat family_neshta behavioral2/memory/3192-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4684-26-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2944-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2176-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1460-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/464-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2456-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3400-62-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4668-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3516-68-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5032-77-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0007000000020297-82.dat family_neshta behavioral2/memory/1632-104-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000202ad-101.dat family_neshta behavioral2/files/0x00010000000202a8-107.dat family_neshta behavioral2/files/0x000100000002023e-100.dat family_neshta behavioral2/files/0x000400000002034e-99.dat family_neshta behavioral2/memory/2044-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000600000002022b-97.dat family_neshta behavioral2/files/0x000400000002035c-78.dat family_neshta behavioral2/memory/1352-121-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3500-122-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4796-126-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/696-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/640-144-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0002000000020326-149.dat family_neshta behavioral2/files/0x00010000000214ed-159.dat family_neshta behavioral2/files/0x00010000000214ec-161.dat family_neshta behavioral2/files/0x0001000000022f3f-165.dat family_neshta behavioral2/files/0x0001000000022f7e-172.dat family_neshta behavioral2/files/0x00010000000214eb-157.dat family_neshta behavioral2/files/0x0001000000016800-177.dat family_neshta behavioral2/files/0x0001000000016803-183.dat family_neshta behavioral2/files/0x00010000000167e7-189.dat family_neshta behavioral2/files/0x000100000001dbf2-193.dat family_neshta behavioral2/files/0x0001000000022e79-209.dat family_neshta behavioral2/files/0x0001000000016915-208.dat family_neshta behavioral2/files/0x000300000001e8ac-216.dat family_neshta behavioral2/files/0x000400000001e6de-221.dat family_neshta behavioral2/files/0x000b00000001ee19-227.dat family_neshta behavioral2/memory/3596-236-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000200000002277a-235.dat family_neshta behavioral2/memory/1532-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1160-247-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/368-254-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4900-255-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4264-257-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5076-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1688-270-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/112-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2896-273-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1272-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3120-286-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1280-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2124-294-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5040-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4468-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2696-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2024-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3616-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4380-318-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3080-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation A04E4F~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 4164 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 3192 svchost.com 4684 A04E4F~1.EXE 2944 svchost.com 2176 A04E4F~1.EXE 1460 svchost.com 464 A04E4F~1.EXE 2456 svchost.com 3400 A04E4F~1.EXE 4668 svchost.com 3516 A04E4F~1.EXE 5032 svchost.com 1632 A04E4F~1.EXE 2044 svchost.com 1352 A04E4F~1.EXE 3500 svchost.com 4796 A04E4F~1.EXE 696 svchost.com 640 A04E4F~1.EXE 3596 svchost.com 1532 A04E4F~1.EXE 1160 svchost.com 368 A04E4F~1.EXE 4900 svchost.com 4264 A04E4F~1.EXE 5076 svchost.com 1688 A04E4F~1.EXE 112 svchost.com 2896 A04E4F~1.EXE 1272 svchost.com 3120 A04E4F~1.EXE 1280 svchost.com 2124 A04E4F~1.EXE 5040 svchost.com 4468 A04E4F~1.EXE 2696 svchost.com 2024 A04E4F~1.EXE 3616 svchost.com 4380 A04E4F~1.EXE 3080 svchost.com 224 A04E4F~1.EXE 2596 svchost.com 3724 A04E4F~1.EXE 932 svchost.com 2012 A04E4F~1.EXE 3720 svchost.com 4952 A04E4F~1.EXE 1372 svchost.com 2632 A04E4F~1.EXE 5084 svchost.com 5064 A04E4F~1.EXE 3600 svchost.com 1500 A04E4F~1.EXE 3656 svchost.com 3596 A04E4F~1.EXE 4812 svchost.com 552 A04E4F~1.EXE 2376 svchost.com 4784 A04E4F~1.EXE 1516 svchost.com 2096 A04E4F~1.EXE 1876 svchost.com 4324 A04E4F~1.EXE 112 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\directx.sys A04E4F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A04E4F~1.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings A04E4F~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4164 3944 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 83 PID 3944 wrote to memory of 4164 3944 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 83 PID 3944 wrote to memory of 4164 3944 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 83 PID 4164 wrote to memory of 3192 4164 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 84 PID 4164 wrote to memory of 3192 4164 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 84 PID 4164 wrote to memory of 3192 4164 a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe 84 PID 3192 wrote to memory of 4684 3192 svchost.com 85 PID 3192 wrote to memory of 4684 3192 svchost.com 85 PID 3192 wrote to memory of 4684 3192 svchost.com 85 PID 4684 wrote to memory of 2944 4684 A04E4F~1.EXE 86 PID 4684 wrote to memory of 2944 4684 A04E4F~1.EXE 86 PID 4684 wrote to memory of 2944 4684 A04E4F~1.EXE 86 PID 2944 wrote to memory of 2176 2944 svchost.com 87 PID 2944 wrote to memory of 2176 2944 svchost.com 87 PID 2944 wrote to memory of 2176 2944 svchost.com 87 PID 2176 wrote to memory of 1460 2176 A04E4F~1.EXE 88 PID 2176 wrote to memory of 1460 2176 A04E4F~1.EXE 88 PID 2176 wrote to memory of 1460 2176 A04E4F~1.EXE 88 PID 1460 wrote to memory of 464 1460 svchost.com 89 PID 1460 wrote to memory of 464 1460 svchost.com 89 PID 1460 wrote to memory of 464 1460 svchost.com 89 PID 464 wrote to memory of 2456 464 A04E4F~1.EXE 90 PID 464 wrote to memory of 2456 464 A04E4F~1.EXE 90 PID 464 wrote to memory of 2456 464 A04E4F~1.EXE 90 PID 2456 wrote to memory of 3400 2456 svchost.com 91 PID 2456 wrote to memory of 3400 2456 svchost.com 91 PID 2456 wrote to memory of 3400 2456 svchost.com 91 PID 3400 wrote to memory of 4668 3400 A04E4F~1.EXE 92 PID 3400 wrote to memory of 4668 3400 A04E4F~1.EXE 92 PID 3400 wrote to memory of 4668 3400 A04E4F~1.EXE 92 PID 4668 wrote to memory of 3516 4668 svchost.com 93 PID 4668 wrote to memory of 3516 4668 svchost.com 93 PID 4668 wrote to memory of 3516 4668 svchost.com 93 PID 3516 wrote to memory of 5032 3516 A04E4F~1.EXE 94 PID 3516 wrote to memory of 5032 3516 A04E4F~1.EXE 94 PID 3516 wrote to memory of 5032 3516 A04E4F~1.EXE 94 PID 5032 wrote to memory of 1632 5032 svchost.com 95 PID 5032 wrote to memory of 1632 5032 svchost.com 95 PID 5032 wrote to memory of 1632 5032 svchost.com 95 PID 1632 wrote to memory of 2044 1632 A04E4F~1.EXE 96 PID 1632 wrote to memory of 2044 1632 A04E4F~1.EXE 96 PID 1632 wrote to memory of 2044 1632 A04E4F~1.EXE 96 PID 2044 wrote to memory of 1352 2044 svchost.com 97 PID 2044 wrote to memory of 1352 2044 svchost.com 97 PID 2044 wrote to memory of 1352 2044 svchost.com 97 PID 1352 wrote to memory of 3500 1352 A04E4F~1.EXE 98 PID 1352 wrote to memory of 3500 1352 A04E4F~1.EXE 98 PID 1352 wrote to memory of 3500 1352 A04E4F~1.EXE 98 PID 3500 wrote to memory of 4796 3500 svchost.com 99 PID 3500 wrote to memory of 4796 3500 svchost.com 99 PID 3500 wrote to memory of 4796 3500 svchost.com 99 PID 4796 wrote to memory of 696 4796 A04E4F~1.EXE 100 PID 4796 wrote to memory of 696 4796 A04E4F~1.EXE 100 PID 4796 wrote to memory of 696 4796 A04E4F~1.EXE 100 PID 696 wrote to memory of 640 696 svchost.com 101 PID 696 wrote to memory of 640 696 svchost.com 101 PID 696 wrote to memory of 640 696 svchost.com 101 PID 640 wrote to memory of 3596 640 A04E4F~1.EXE 137 PID 640 wrote to memory of 3596 640 A04E4F~1.EXE 137 PID 640 wrote to memory of 3596 640 A04E4F~1.EXE 137 PID 3596 wrote to memory of 1532 3596 svchost.com 103 PID 3596 wrote to memory of 1532 3596 svchost.com 103 PID 3596 wrote to memory of 1532 3596 svchost.com 103 PID 1532 wrote to memory of 1160 1532 A04E4F~1.EXE 225
Processes
-
C:\Users\Admin\AppData\Local\Temp\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"C:\Users\Admin\AppData\Local\Temp\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a04e4f8ae82d3eb96f80609fbc8c39abb369662d55d9de1b0136ac84420b4478N.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
PID:368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"25⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"27⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
PID:1688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"29⤵
- Executes dropped EXE
PID:112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"31⤵
- Executes dropped EXE
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
PID:3120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"33⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"35⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
PID:4468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"39⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE40⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"41⤵
- Executes dropped EXE
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"43⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE44⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"45⤵
- Executes dropped EXE
PID:932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE46⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"49⤵
- Executes dropped EXE
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
PID:2632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"51⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE52⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"53⤵
- Executes dropped EXE
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
PID:1500 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE56⤵
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE58⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"59⤵
- Executes dropped EXE
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4784 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"61⤵
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE62⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"63⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE64⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"65⤵
- Executes dropped EXE
PID:112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE66⤵
- Modifies registry class
PID:1644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"67⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE68⤵PID:4140
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"69⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE70⤵
- Drops file in Windows directory
PID:3636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"71⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE72⤵PID:3888
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"73⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE76⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"77⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE78⤵
- Checks computer location settings
PID:5088 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"79⤵
- Drops file in Windows directory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE80⤵
- Modifies registry class
PID:3848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"81⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE82⤵
- Drops file in Windows directory
- Modifies registry class
PID:3012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"83⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE84⤵PID:2092
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"85⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE86⤵
- Modifies registry class
PID:3564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"87⤵
- Drops file in Windows directory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE88⤵
- Modifies registry class
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"89⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE90⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE92⤵
- Checks computer location settings
PID:3492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"93⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE94⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1896 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"95⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE96⤵
- Modifies registry class
PID:4124 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"97⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE98⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"99⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE100⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE102⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"103⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE104⤵PID:2316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"105⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE106⤵
- Checks computer location settings
PID:1820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"107⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE108⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"109⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE110⤵
- Modifies registry class
PID:4608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"111⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE112⤵
- Checks computer location settings
PID:4820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"113⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE114⤵
- Modifies registry class
PID:532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"115⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE116⤵
- Modifies registry class
PID:1324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"117⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE118⤵PID:5100
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"119⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE120⤵PID:3928
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE"121⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\A04E4F~1.EXE122⤵
- Checks computer location settings
PID:4644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-