Analysis
-
max time kernel
36s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 19:29
Behavioral task
behavioral1
Sample
2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe
Resource
win10v2004-20241007-en
General
-
Target
2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe
-
Size
3.7MB
-
MD5
e7743360d7504c003717a724c7078da0
-
SHA1
50ddbc01198721da12d3f6940a422c2b6752d29a
-
SHA256
2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503
-
SHA512
b6a83d6db2f18ba56f48e4abbf5f4e24e73d91a01a29d385947cbe72c02a44de891ed8fe37efaa23a08505b4c38a8edc6896126a748bea646e8ece5b245d5968
-
SSDEEP
24576:ruWNAd6RMEAiQRDz7kxPYTVLM46SgezoLZqtVJW8PNwdnk9zUQABRVBJZOWHjD3e:r06XAB4x8LM46A8Np8PaNlRVBJZo
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0007000000023c97-4.dat family_neshta behavioral2/files/0x0007000000023c98-10.dat family_neshta behavioral2/memory/2852-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4504-27-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2556-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4084-35-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1368-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/964-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/504-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1516-63-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4204-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2396-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3528-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2000-87-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1052-88-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2976-92-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000600000002022f-103.dat family_neshta behavioral2/files/0x000600000002022b-106.dat family_neshta behavioral2/files/0x000400000002034f-112.dat family_neshta behavioral2/files/0x00010000000202c0-114.dat family_neshta behavioral2/files/0x00010000000202a8-119.dat family_neshta behavioral2/files/0x0004000000020322-120.dat family_neshta behavioral2/memory/3852-121-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2212-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/216-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1520-145-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4840-146-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2364-156-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2164-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/740-168-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2616-170-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4392-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3744-182-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3652-186-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0008000000020250-196.dat family_neshta behavioral2/memory/5012-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3364-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3460-246-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/976-256-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1796-270-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3628-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3580-278-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1516-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1476-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1592-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2412-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1264-318-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4736-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2336-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3708-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2624-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2404-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4576-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/948-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1672-349-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1076-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2488-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1972-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2164-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4836-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/940-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2796-374-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4468-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3960-382-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2EB93C~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 4836 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 2852 svchost.com 4504 2EB93C~1.EXE 2556 svchost.com 4084 2EB93C~1.EXE 1368 svchost.com 964 2EB93C~1.EXE 504 svchost.com 1516 2EB93C~1.EXE 4204 svchost.com 2396 2EB93C~1.EXE 3528 svchost.com 2000 2EB93C~1.EXE 1052 svchost.com 2976 2EB93C~1.EXE 3852 svchost.com 2212 2EB93C~1.EXE 216 svchost.com 1520 2EB93C~1.EXE 4840 svchost.com 2364 2EB93C~1.EXE 2164 svchost.com 740 2EB93C~1.EXE 2616 svchost.com 4392 2EB93C~1.EXE 3744 svchost.com 3652 2EB93C~1.EXE 5012 svchost.com 3364 2EB93C~1.EXE 3460 svchost.com 976 2EB93C~1.EXE 1796 svchost.com 3628 2EB93C~1.EXE 3580 svchost.com 1516 2EB93C~1.EXE 1476 svchost.com 1592 2EB93C~1.EXE 2412 svchost.com 1264 2EB93C~1.EXE 4736 svchost.com 2336 2EB93C~1.EXE 3708 svchost.com 2404 2EB93C~1.EXE 4576 svchost.com 948 2EB93C~1.EXE 1672 svchost.com 1076 2EB93C~1.EXE 2488 svchost.com 1972 2EB93C~1.EXE 2164 svchost.com 940 2EB93C~1.EXE 2796 svchost.com 4468 2EB93C~1.EXE 3960 svchost.com 2996 2EB93C~1.EXE 2532 svchost.com 4760 2EB93C~1.EXE 4312 svchost.com 1392 2EB93C~1.EXE 2276 svchost.com 4808 2EB93C~1.EXE 1968 svchost.com 3096 2EB93C~1.EXE 428 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE File opened for modification C:\Windows\svchost.com 2EB93C~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2EB93C~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2EB93C~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 4836 2624 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 83 PID 2624 wrote to memory of 4836 2624 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 83 PID 2624 wrote to memory of 4836 2624 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 83 PID 4836 wrote to memory of 2852 4836 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 84 PID 4836 wrote to memory of 2852 4836 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 84 PID 4836 wrote to memory of 2852 4836 2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe 84 PID 2852 wrote to memory of 4504 2852 svchost.com 85 PID 2852 wrote to memory of 4504 2852 svchost.com 85 PID 2852 wrote to memory of 4504 2852 svchost.com 85 PID 4504 wrote to memory of 2556 4504 2EB93C~1.EXE 86 PID 4504 wrote to memory of 2556 4504 2EB93C~1.EXE 86 PID 4504 wrote to memory of 2556 4504 2EB93C~1.EXE 86 PID 2556 wrote to memory of 4084 2556 svchost.com 87 PID 2556 wrote to memory of 4084 2556 svchost.com 87 PID 2556 wrote to memory of 4084 2556 svchost.com 87 PID 4084 wrote to memory of 1368 4084 2EB93C~1.EXE 88 PID 4084 wrote to memory of 1368 4084 2EB93C~1.EXE 88 PID 4084 wrote to memory of 1368 4084 2EB93C~1.EXE 88 PID 1368 wrote to memory of 964 1368 svchost.com 89 PID 1368 wrote to memory of 964 1368 svchost.com 89 PID 1368 wrote to memory of 964 1368 svchost.com 89 PID 964 wrote to memory of 504 964 2EB93C~1.EXE 194 PID 964 wrote to memory of 504 964 2EB93C~1.EXE 194 PID 964 wrote to memory of 504 964 2EB93C~1.EXE 194 PID 504 wrote to memory of 1516 504 svchost.com 154 PID 504 wrote to memory of 1516 504 svchost.com 154 PID 504 wrote to memory of 1516 504 svchost.com 154 PID 1516 wrote to memory of 4204 1516 2EB93C~1.EXE 92 PID 1516 wrote to memory of 4204 1516 2EB93C~1.EXE 92 PID 1516 wrote to memory of 4204 1516 2EB93C~1.EXE 92 PID 4204 wrote to memory of 2396 4204 svchost.com 93 PID 4204 wrote to memory of 2396 4204 svchost.com 93 PID 4204 wrote to memory of 2396 4204 svchost.com 93 PID 2396 wrote to memory of 3528 2396 2EB93C~1.EXE 155 PID 2396 wrote to memory of 3528 2396 2EB93C~1.EXE 155 PID 2396 wrote to memory of 3528 2396 2EB93C~1.EXE 155 PID 3528 wrote to memory of 2000 3528 svchost.com 95 PID 3528 wrote to memory of 2000 3528 svchost.com 95 PID 3528 wrote to memory of 2000 3528 svchost.com 95 PID 2000 wrote to memory of 1052 2000 2EB93C~1.EXE 224 PID 2000 wrote to memory of 1052 2000 2EB93C~1.EXE 224 PID 2000 wrote to memory of 1052 2000 2EB93C~1.EXE 224 PID 1052 wrote to memory of 2976 1052 svchost.com 223 PID 1052 wrote to memory of 2976 1052 svchost.com 223 PID 1052 wrote to memory of 2976 1052 svchost.com 223 PID 2976 wrote to memory of 3852 2976 2EB93C~1.EXE 197 PID 2976 wrote to memory of 3852 2976 2EB93C~1.EXE 197 PID 2976 wrote to memory of 3852 2976 2EB93C~1.EXE 197 PID 3852 wrote to memory of 2212 3852 svchost.com 99 PID 3852 wrote to memory of 2212 3852 svchost.com 99 PID 3852 wrote to memory of 2212 3852 svchost.com 99 PID 2212 wrote to memory of 216 2212 2EB93C~1.EXE 100 PID 2212 wrote to memory of 216 2212 2EB93C~1.EXE 100 PID 2212 wrote to memory of 216 2212 2EB93C~1.EXE 100 PID 216 wrote to memory of 1520 216 svchost.com 101 PID 216 wrote to memory of 1520 216 svchost.com 101 PID 216 wrote to memory of 1520 216 svchost.com 101 PID 1520 wrote to memory of 4840 1520 2EB93C~1.EXE 102 PID 1520 wrote to memory of 4840 1520 2EB93C~1.EXE 102 PID 1520 wrote to memory of 4840 1520 2EB93C~1.EXE 102 PID 4840 wrote to memory of 2364 4840 svchost.com 103 PID 4840 wrote to memory of 2364 4840 svchost.com 103 PID 4840 wrote to memory of 2364 4840 svchost.com 103 PID 2364 wrote to memory of 2164 2364 2EB93C~1.EXE 257
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe"C:\Users\Admin\AppData\Local\Temp\2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2eb93c4fc2bcf8ed9de92ddae4a565853d61c7d08c206d9e8a3551768a1f4503N.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"9⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"25⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"27⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE28⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"29⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"31⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"33⤵
- Executes dropped EXE
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
PID:1516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"37⤵
- Executes dropped EXE
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"39⤵
- Executes dropped EXE
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"41⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"43⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"45⤵
- Executes dropped EXE
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"49⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"53⤵
- Executes dropped EXE
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"55⤵
- Executes dropped EXE
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"59⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE60⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"61⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE62⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"65⤵
- Executes dropped EXE
PID:428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE66⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"67⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE68⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"69⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE70⤵
- Checks computer location settings
- Modifies registry class
PID:3196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"71⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE72⤵
- Checks computer location settings
- Modifies registry class
PID:1516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"73⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE74⤵
- Checks computer location settings
- Modifies registry class
PID:3308 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"75⤵
- Drops file in Windows directory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"77⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE78⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"79⤵
- Drops file in Windows directory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE80⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"81⤵
- Drops file in Windows directory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE82⤵
- Checks computer location settings
- Modifies registry class
PID:2968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"83⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE84⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"85⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE86⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"87⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE88⤵
- Checks computer location settings
- Modifies registry class
PID:5072 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"89⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE90⤵
- Checks computer location settings
- Modifies registry class
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"91⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE92⤵
- Drops file in Windows directory
- Modifies registry class
PID:4180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"93⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE94⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"95⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE96⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"97⤵
- System Location Discovery: System Language Discovery
PID:428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE98⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"99⤵
- Drops file in Windows directory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE100⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"101⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE102⤵
- Checks computer location settings
PID:1560 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"103⤵
- Drops file in Windows directory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE104⤵
- Checks computer location settings
- Modifies registry class
PID:1052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"105⤵PID:504
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE106⤵
- Checks computer location settings
- Modifies registry class
PID:3044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"107⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE108⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"109⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE110⤵
- Drops file in Windows directory
- Modifies registry class
PID:2592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"111⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE112⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"113⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE114⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"115⤵
- Drops file in Windows directory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE116⤵
- Checks computer location settings
PID:2904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"117⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE118⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"119⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE120⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE"121⤵
- Drops file in Windows directory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2EB93C~1.EXE122⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-