Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 02:54
Behavioral task
behavioral1
Sample
84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe
Resource
win10v2004-20241007-en
General
-
Target
84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe
-
Size
393KB
-
MD5
a58fca2c4d0e6453e0d9e1bfb61ab130
-
SHA1
ec12b0634e736388ff42feede7806d8d5b5defc0
-
SHA256
84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bb
-
SHA512
481bb904cf09f6ac2020ea8e9cfc550173032ea87ff715e9b5a31371c225ce6a34c38cc985a3d4810863ff7240a5caf0ea4e16f8931e64c52c7fd3ae7ff36a7b
-
SSDEEP
3072:sr85CFCkxa43VhkK7fi8XKNy6ZWsIn0Bqem7J6R2xQkSrQr85Cxr85C:k93hVhdfi8RnZRem7wRmSrQ9N9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0009000000023c9e-4.dat family_neshta behavioral2/files/0x0007000000023ca6-10.dat family_neshta behavioral2/memory/4952-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3384-20-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3100-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4244-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2212-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1924-51-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2688-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3616-63-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2876-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3448-68-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0004000000020368-77.dat family_neshta behavioral2/files/0x0006000000020157-81.dat family_neshta behavioral2/files/0x0006000000020237-83.dat family_neshta behavioral2/files/0x0006000000020241-82.dat family_neshta behavioral2/files/0x00010000000202b9-91.dat family_neshta behavioral2/files/0x00010000000202cc-94.dat family_neshta behavioral2/memory/412-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0006000000020250-102.dat family_neshta behavioral2/memory/1808-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000400000002032e-101.dat family_neshta behavioral2/files/0x000400000002035b-93.dat family_neshta behavioral2/files/0x000100000002024a-89.dat family_neshta behavioral2/memory/2248-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4140-126-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3896-127-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0006000000020258-139.dat family_neshta behavioral2/memory/3320-137-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000021554-146.dat family_neshta behavioral2/files/0x00010000000225fb-149.dat family_neshta behavioral2/files/0x0002000000020332-144.dat family_neshta behavioral2/files/0x000800000002025a-143.dat family_neshta behavioral2/files/0x00010000000214ff-153.dat family_neshta behavioral2/files/0x0001000000022f57-167.dat family_neshta behavioral2/files/0x00010000000167d1-181.dat family_neshta behavioral2/files/0x00010000000167d3-180.dat family_neshta behavioral2/files/0x00010000000167b8-179.dat family_neshta behavioral2/files/0x000100000001680a-178.dat family_neshta behavioral2/files/0x0001000000022f93-177.dat family_neshta behavioral2/files/0x0001000000022f94-166.dat family_neshta behavioral2/memory/2500-204-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1548-213-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000022f56-164.dat family_neshta behavioral2/files/0x0001000000022f55-163.dat family_neshta behavioral2/files/0x0001000000021501-161.dat family_neshta behavioral2/memory/4592-223-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4032-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5004-241-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4772-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5096-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4816-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2052-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1280-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2300-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2216-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2932-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3592-278-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2160-284-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/692-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/264-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4244-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4148-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1600-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 84841A~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 404 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 4952 svchost.com 3384 84841A~1.EXE 3100 svchost.com 4244 84841A~1.EXE 2212 svchost.com 1924 84841A~1.EXE 2688 svchost.com 3616 84841A~1.EXE 2876 svchost.com 3448 84841A~1.EXE 412 svchost.com 1808 84841A~1.EXE 2248 svchost.com 4140 84841A~1.EXE 3896 svchost.com 3320 84841A~1.EXE 2500 svchost.com 1548 84841A~1.EXE 4592 svchost.com 4032 84841A~1.EXE 5004 svchost.com 4772 84841A~1.EXE 5096 svchost.com 4816 84841A~1.EXE 2052 svchost.com 1280 84841A~1.EXE 2300 svchost.com 2216 84841A~1.EXE 2932 svchost.com 3592 84841A~1.EXE 2160 svchost.com 692 84841A~1.EXE 264 svchost.com 4244 84841A~1.EXE 4148 svchost.com 1600 84841A~1.EXE 4640 svchost.com 960 84841A~1.EXE 4280 svchost.com 948 84841A~1.EXE 3676 svchost.com 1220 84841A~1.EXE 1636 svchost.com 1424 84841A~1.EXE 4764 svchost.com 1492 84841A~1.EXE 3920 svchost.com 1504 84841A~1.EXE 396 svchost.com 964 84841A~1.EXE 3360 svchost.com 2372 84841A~1.EXE 4796 svchost.com 744 84841A~1.EXE 2640 svchost.com 1680 84841A~1.EXE 1604 svchost.com 1548 84841A~1.EXE 4632 svchost.com 1968 84841A~1.EXE 4328 svchost.com 3820 84841A~1.EXE 3600 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\directx.sys 84841A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com 84841A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 84841A~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84841A~1.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 84841A~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4020 wrote to memory of 404 4020 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 81 PID 4020 wrote to memory of 404 4020 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 81 PID 4020 wrote to memory of 404 4020 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 81 PID 404 wrote to memory of 4952 404 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 82 PID 404 wrote to memory of 4952 404 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 82 PID 404 wrote to memory of 4952 404 84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe 82 PID 4952 wrote to memory of 3384 4952 svchost.com 83 PID 4952 wrote to memory of 3384 4952 svchost.com 83 PID 4952 wrote to memory of 3384 4952 svchost.com 83 PID 3384 wrote to memory of 3100 3384 84841A~1.EXE 84 PID 3384 wrote to memory of 3100 3384 84841A~1.EXE 84 PID 3384 wrote to memory of 3100 3384 84841A~1.EXE 84 PID 3100 wrote to memory of 4244 3100 svchost.com 116 PID 3100 wrote to memory of 4244 3100 svchost.com 116 PID 3100 wrote to memory of 4244 3100 svchost.com 116 PID 4244 wrote to memory of 2212 4244 84841A~1.EXE 86 PID 4244 wrote to memory of 2212 4244 84841A~1.EXE 86 PID 4244 wrote to memory of 2212 4244 84841A~1.EXE 86 PID 2212 wrote to memory of 1924 2212 svchost.com 87 PID 2212 wrote to memory of 1924 2212 svchost.com 87 PID 2212 wrote to memory of 1924 2212 svchost.com 87 PID 1924 wrote to memory of 2688 1924 84841A~1.EXE 88 PID 1924 wrote to memory of 2688 1924 84841A~1.EXE 88 PID 1924 wrote to memory of 2688 1924 84841A~1.EXE 88 PID 2688 wrote to memory of 3616 2688 svchost.com 89 PID 2688 wrote to memory of 3616 2688 svchost.com 89 PID 2688 wrote to memory of 3616 2688 svchost.com 89 PID 3616 wrote to memory of 2876 3616 84841A~1.EXE 90 PID 3616 wrote to memory of 2876 3616 84841A~1.EXE 90 PID 3616 wrote to memory of 2876 3616 84841A~1.EXE 90 PID 2876 wrote to memory of 3448 2876 svchost.com 91 PID 2876 wrote to memory of 3448 2876 svchost.com 91 PID 2876 wrote to memory of 3448 2876 svchost.com 91 PID 3448 wrote to memory of 412 3448 84841A~1.EXE 92 PID 3448 wrote to memory of 412 3448 84841A~1.EXE 92 PID 3448 wrote to memory of 412 3448 84841A~1.EXE 92 PID 412 wrote to memory of 1808 412 svchost.com 93 PID 412 wrote to memory of 1808 412 svchost.com 93 PID 412 wrote to memory of 1808 412 svchost.com 93 PID 1808 wrote to memory of 2248 1808 84841A~1.EXE 94 PID 1808 wrote to memory of 2248 1808 84841A~1.EXE 94 PID 1808 wrote to memory of 2248 1808 84841A~1.EXE 94 PID 2248 wrote to memory of 4140 2248 svchost.com 95 PID 2248 wrote to memory of 4140 2248 svchost.com 95 PID 2248 wrote to memory of 4140 2248 svchost.com 95 PID 4140 wrote to memory of 3896 4140 84841A~1.EXE 96 PID 4140 wrote to memory of 3896 4140 84841A~1.EXE 96 PID 4140 wrote to memory of 3896 4140 84841A~1.EXE 96 PID 3896 wrote to memory of 3320 3896 svchost.com 97 PID 3896 wrote to memory of 3320 3896 svchost.com 97 PID 3896 wrote to memory of 3320 3896 svchost.com 97 PID 3320 wrote to memory of 2500 3320 84841A~1.EXE 98 PID 3320 wrote to memory of 2500 3320 84841A~1.EXE 98 PID 3320 wrote to memory of 2500 3320 84841A~1.EXE 98 PID 2500 wrote to memory of 1548 2500 svchost.com 140 PID 2500 wrote to memory of 1548 2500 svchost.com 140 PID 2500 wrote to memory of 1548 2500 svchost.com 140 PID 1548 wrote to memory of 4592 1548 84841A~1.EXE 100 PID 1548 wrote to memory of 4592 1548 84841A~1.EXE 100 PID 1548 wrote to memory of 4592 1548 84841A~1.EXE 100 PID 4592 wrote to memory of 4032 4592 svchost.com 184 PID 4592 wrote to memory of 4032 4592 svchost.com 184 PID 4592 wrote to memory of 4032 4592 svchost.com 184 PID 4032 wrote to memory of 5004 4032 84841A~1.EXE 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe"C:\Users\Admin\AppData\Local\Temp\84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\84841afcdc653d754748cf3f200ad7007d7d9adb01f123924172c407b333f1bbN.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"23⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
PID:4772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"25⤵
- Executes dropped EXE
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE26⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE28⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"29⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"31⤵
- Executes dropped EXE
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3592 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"33⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
PID:692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"35⤵
- Executes dropped EXE
PID:264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE36⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"37⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
PID:1600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"39⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE40⤵
- Executes dropped EXE
- Modifies registry class
PID:960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"41⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE42⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"43⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"45⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"51⤵
- Executes dropped EXE
PID:396 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"53⤵
- Executes dropped EXE
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE56⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE58⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"59⤵
- Executes dropped EXE
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE60⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE62⤵
- Checks computer location settings
- Executes dropped EXE
PID:1968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"63⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE66⤵
- Drops file in Windows directory
- Modifies registry class
PID:2368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"67⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE68⤵
- Checks computer location settings
- Modifies registry class
PID:644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"69⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE70⤵
- Checks computer location settings
PID:4352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"71⤵
- Drops file in Windows directory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE72⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"73⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE74⤵
- Checks computer location settings
PID:5044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"75⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE76⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"77⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE78⤵PID:2612
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"79⤵
- Drops file in Windows directory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE80⤵
- Modifies registry class
PID:1600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"81⤵
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE82⤵PID:960
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"83⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE84⤵
- Drops file in Windows directory
- Modifies registry class
PID:4044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"85⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE86⤵PID:3912
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"87⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE88⤵PID:1424
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"89⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE90⤵
- Drops file in Windows directory
PID:1492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE92⤵
- Modifies registry class
PID:4420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"93⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE94⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"95⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE96⤵
- Drops file in Windows directory
- Modifies registry class
PID:3500 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"97⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE98⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"99⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE100⤵
- Checks computer location settings
PID:1020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"101⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE102⤵
- Checks computer location settings
PID:5016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"103⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE104⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"105⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE106⤵
- Checks computer location settings
PID:4792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"107⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE108⤵
- Checks computer location settings
- Modifies registry class
PID:1216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"109⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE110⤵
- Checks computer location settings
PID:4356 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"111⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE112⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"113⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE114⤵PID:4728
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"115⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE116⤵
- Checks computer location settings
- Modifies registry class
PID:5036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"117⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE118⤵
- Checks computer location settings
PID:1924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"119⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE120⤵
- Checks computer location settings
- Modifies registry class
PID:2280 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE"121⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\84841A~1.EXE122⤵
- Drops file in Windows directory
- Modifies registry class
PID:3616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-