Analysis
-
max time kernel
48s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 18:41
Behavioral task
behavioral1
Sample
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
Resource
win10v2004-20241007-en
General
-
Target
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe
-
Size
620KB
-
MD5
133d351d37afbfb27c39b6f87d734550
-
SHA1
a0b907130e2758e1c15a504f19782e34a8867a69
-
SHA256
2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0f
-
SHA512
cbd1db3954c3e8266264313c7698b53f01b4f2850814d1c5a7807962e4671ca732c1b920103bc50bf3097dbde868311d14b55093f6ee8a6d575d976b0f87694d
-
SSDEEP
12288:3QveDfL7VwmhkKTU2N/cvC888888888888W88888888888FzX:3QmDffVwmhcIcG
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x000d000000023a68-4.dat family_neshta behavioral2/files/0x000d000000023a73-10.dat family_neshta behavioral2/memory/456-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3416-26-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/808-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/316-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/624-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4988-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4232-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2288-56-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2200-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2968-75-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3472-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1728-87-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000400000002035c-88.dat family_neshta behavioral2/files/0x0006000000020237-96.dat family_neshta behavioral2/memory/2836-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000600000002022f-95.dat family_neshta behavioral2/files/0x0004000000020322-125.dat family_neshta behavioral2/memory/4048-140-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3016-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000202a8-124.dat family_neshta behavioral2/files/0x0004000000020361-123.dat family_neshta behavioral2/memory/2576-121-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000202c0-111.dat family_neshta behavioral2/files/0x000400000002034f-109.dat family_neshta behavioral2/files/0x00010000000202ad-108.dat family_neshta behavioral2/files/0x000100000002023e-107.dat family_neshta behavioral2/memory/3832-141-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5020-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000214eb-164.dat family_neshta behavioral2/files/0x00010000000214ec-165.dat family_neshta behavioral2/files/0x00010000000214ed-163.dat family_neshta behavioral2/files/0x0001000000022f3f-169.dat family_neshta behavioral2/files/0x0001000000022f3b-170.dat family_neshta behavioral2/files/0x0001000000022f40-175.dat family_neshta behavioral2/files/0x0001000000022f7e-181.dat family_neshta behavioral2/files/0x0001000000022f3d-180.dat family_neshta behavioral2/files/0x00010000000167c7-193.dat family_neshta behavioral2/files/0x00010000000167c9-192.dat family_neshta behavioral2/files/0x00010000000167ae-191.dat family_neshta behavioral2/files/0x0001000000016800-190.dat family_neshta behavioral2/memory/2984-184-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1316-222-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4108-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2800-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3888-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3632-247-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1680-256-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3484-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3252-267-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1668-274-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/620-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4420-277-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4020-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4808-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2056-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4932-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4184-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2956-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4668-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/652-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3472-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2580-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2BE3D8~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 5056 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 456 svchost.com 3416 2BE3D8~1.EXE 808 svchost.com 316 2BE3D8~1.EXE 624 svchost.com 4988 2BE3D8~1.EXE 4232 svchost.com 2288 2BE3D8~1.EXE 2200 svchost.com 2968 2BE3D8~1.EXE 3472 svchost.com 1728 2BE3D8~1.EXE 2836 svchost.com 2576 2BE3D8~1.EXE 3016 svchost.com 4048 2BE3D8~1.EXE 3832 svchost.com 5020 2BE3D8~1.EXE 2984 svchost.com 1316 2BE3D8~1.EXE 4108 svchost.com 2800 2BE3D8~1.EXE 3888 svchost.com 3632 2BE3D8~1.EXE 1680 svchost.com 3484 2BE3D8~1.EXE 3252 svchost.com 1668 2BE3D8~1.EXE 620 svchost.com 4420 2BE3D8~1.EXE 4020 svchost.com 4808 2BE3D8~1.EXE 2056 svchost.com 4932 2BE3D8~1.EXE 4184 svchost.com 2956 2BE3D8~1.EXE 4668 svchost.com 652 2BE3D8~1.EXE 3472 svchost.com 2580 2BE3D8~1.EXE 536 svchost.com 776 2BE3D8~1.EXE 2380 svchost.com 1132 2BE3D8~1.EXE 5008 svchost.com 3732 2BE3D8~1.EXE 3636 svchost.com 4616 2BE3D8~1.EXE 1584 svchost.com 1012 2BE3D8~1.EXE 1544 svchost.com 1804 2BE3D8~1.EXE 2104 svchost.com 2860 2BE3D8~1.EXE 5036 svchost.com 2560 2BE3D8~1.EXE 1316 svchost.com 4852 2BE3D8~1.EXE 4180 svchost.com 1920 2BE3D8~1.EXE 1492 svchost.com 1480 2BE3D8~1.EXE 3364 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 2BE3D8~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2BE3D8~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 2BE3D8~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4556 wrote to memory of 5056 4556 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 84 PID 4556 wrote to memory of 5056 4556 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 84 PID 4556 wrote to memory of 5056 4556 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 84 PID 5056 wrote to memory of 456 5056 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 85 PID 5056 wrote to memory of 456 5056 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 85 PID 5056 wrote to memory of 456 5056 2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe 85 PID 456 wrote to memory of 3416 456 svchost.com 86 PID 456 wrote to memory of 3416 456 svchost.com 86 PID 456 wrote to memory of 3416 456 svchost.com 86 PID 3416 wrote to memory of 808 3416 2BE3D8~1.EXE 87 PID 3416 wrote to memory of 808 3416 2BE3D8~1.EXE 87 PID 3416 wrote to memory of 808 3416 2BE3D8~1.EXE 87 PID 808 wrote to memory of 316 808 svchost.com 88 PID 808 wrote to memory of 316 808 svchost.com 88 PID 808 wrote to memory of 316 808 svchost.com 88 PID 316 wrote to memory of 624 316 2BE3D8~1.EXE 89 PID 316 wrote to memory of 624 316 2BE3D8~1.EXE 89 PID 316 wrote to memory of 624 316 2BE3D8~1.EXE 89 PID 624 wrote to memory of 4988 624 svchost.com 90 PID 624 wrote to memory of 4988 624 svchost.com 90 PID 624 wrote to memory of 4988 624 svchost.com 90 PID 4988 wrote to memory of 4232 4988 2BE3D8~1.EXE 91 PID 4988 wrote to memory of 4232 4988 2BE3D8~1.EXE 91 PID 4988 wrote to memory of 4232 4988 2BE3D8~1.EXE 91 PID 4232 wrote to memory of 2288 4232 svchost.com 92 PID 4232 wrote to memory of 2288 4232 svchost.com 92 PID 4232 wrote to memory of 2288 4232 svchost.com 92 PID 2288 wrote to memory of 2200 2288 2BE3D8~1.EXE 93 PID 2288 wrote to memory of 2200 2288 2BE3D8~1.EXE 93 PID 2288 wrote to memory of 2200 2288 2BE3D8~1.EXE 93 PID 2200 wrote to memory of 2968 2200 svchost.com 94 PID 2200 wrote to memory of 2968 2200 svchost.com 94 PID 2200 wrote to memory of 2968 2200 svchost.com 94 PID 2968 wrote to memory of 3472 2968 2BE3D8~1.EXE 123 PID 2968 wrote to memory of 3472 2968 2BE3D8~1.EXE 123 PID 2968 wrote to memory of 3472 2968 2BE3D8~1.EXE 123 PID 3472 wrote to memory of 1728 3472 svchost.com 96 PID 3472 wrote to memory of 1728 3472 svchost.com 96 PID 3472 wrote to memory of 1728 3472 svchost.com 96 PID 1728 wrote to memory of 2836 1728 2BE3D8~1.EXE 97 PID 1728 wrote to memory of 2836 1728 2BE3D8~1.EXE 97 PID 1728 wrote to memory of 2836 1728 2BE3D8~1.EXE 97 PID 2836 wrote to memory of 2576 2836 svchost.com 98 PID 2836 wrote to memory of 2576 2836 svchost.com 98 PID 2836 wrote to memory of 2576 2836 svchost.com 98 PID 2576 wrote to memory of 3016 2576 2BE3D8~1.EXE 99 PID 2576 wrote to memory of 3016 2576 2BE3D8~1.EXE 99 PID 2576 wrote to memory of 3016 2576 2BE3D8~1.EXE 99 PID 3016 wrote to memory of 4048 3016 svchost.com 100 PID 3016 wrote to memory of 4048 3016 svchost.com 100 PID 3016 wrote to memory of 4048 3016 svchost.com 100 PID 4048 wrote to memory of 3832 4048 2BE3D8~1.EXE 101 PID 4048 wrote to memory of 3832 4048 2BE3D8~1.EXE 101 PID 4048 wrote to memory of 3832 4048 2BE3D8~1.EXE 101 PID 3832 wrote to memory of 5020 3832 svchost.com 172 PID 3832 wrote to memory of 5020 3832 svchost.com 172 PID 3832 wrote to memory of 5020 3832 svchost.com 172 PID 5020 wrote to memory of 2984 5020 2BE3D8~1.EXE 103 PID 5020 wrote to memory of 2984 5020 2BE3D8~1.EXE 103 PID 5020 wrote to memory of 2984 5020 2BE3D8~1.EXE 103 PID 2984 wrote to memory of 1316 2984 svchost.com 142 PID 2984 wrote to memory of 1316 2984 svchost.com 142 PID 2984 wrote to memory of 1316 2984 svchost.com 142 PID 1316 wrote to memory of 4108 1316 2BE3D8~1.EXE 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"C:\Users\Admin\AppData\Local\Temp\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2be3d8b5f50f6107766c6c94253bb6cdc0acfb20b0068afdc07cd51bd06abf0fN.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"23⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE24⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"25⤵
- Executes dropped EXE
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE26⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"27⤵
- Executes dropped EXE
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"29⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE30⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"31⤵
- Executes dropped EXE
PID:620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE32⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"33⤵
- Executes dropped EXE
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE34⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE36⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"37⤵
- Executes dropped EXE
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
PID:2956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"39⤵
- Executes dropped EXE
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"41⤵
- Executes dropped EXE
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"43⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE46⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"47⤵
- Executes dropped EXE
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"49⤵
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"51⤵
- Executes dropped EXE
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE52⤵
- Checks computer location settings
- Executes dropped EXE
PID:1012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE54⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"55⤵
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE56⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"57⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"59⤵
- Executes dropped EXE
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"61⤵
- Executes dropped EXE
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE62⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"63⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"65⤵
- Executes dropped EXE
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE66⤵
- Checks computer location settings
PID:4788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"67⤵
- Drops file in Windows directory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE68⤵PID:5088
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"69⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE70⤵PID:1224
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"71⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE72⤵PID:2720
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"73⤵
- Drops file in Windows directory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE74⤵PID:4072
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"75⤵
- Drops file in Windows directory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE76⤵
- Checks computer location settings
- Modifies registry class
PID:3884 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"77⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE78⤵
- Drops file in Windows directory
PID:4128 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"79⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE80⤵
- Modifies registry class
PID:2348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"81⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE82⤵
- Checks computer location settings
PID:4336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"83⤵
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE84⤵
- Modifies registry class
PID:408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"85⤵
- Drops file in Windows directory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE86⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"87⤵
- Drops file in Windows directory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE88⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"89⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE90⤵
- Checks computer location settings
PID:4448 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"91⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE92⤵
- Modifies registry class
PID:3488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"93⤵
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE94⤵PID:4568
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"95⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE96⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"97⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE98⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"99⤵
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE100⤵PID:3632
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"101⤵
- Drops file in Windows directory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE102⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"103⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE104⤵
- Drops file in Windows directory
PID:3692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"105⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE106⤵
- Checks computer location settings
- Modifies registry class
PID:1648 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"107⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE108⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1224 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"109⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"111⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE112⤵
- Modifies registry class
PID:4992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"113⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE114⤵
- Checks computer location settings
- Modifies registry class
PID:4652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"115⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE116⤵
- Checks computer location settings
PID:3668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"117⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE118⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"119⤵
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE120⤵PID:1756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE"121⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\2BE3D8~1.EXE122⤵PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-