Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 08:49
Behavioral task
behavioral1
Sample
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
Resource
win10v2004-20241007-en
General
-
Target
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
-
Size
645KB
-
MD5
a4b959543b0e803e5b7b244d8f8dad90
-
SHA1
3c6660ac90c2ba8b17f4dc44c60d0a2d5f1a6ea1
-
SHA256
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53
-
SHA512
aad9dc90a6e4a3b37a6e70225d854493a5fbeef37a78e08622cc0aaa079a89d4be6266e749aefc28ffc7d617d5c5e4d96aed0e4fb9d7e48f61da026a4d977162
-
SSDEEP
12288:BPNyDPCwn3/oSwpjnVWqqPIBONhxsUbPqYy2wa:LTwgSww/xsUbPO2B
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016edb-2.dat family_neshta behavioral1/files/0x00070000000173f3-15.dat family_neshta behavioral1/files/0x000700000001033a-18.dat family_neshta behavioral1/files/0x0022000000010678-17.dat family_neshta behavioral1/files/0x0001000000010314-20.dat family_neshta behavioral1/files/0x0001000000010312-19.dat family_neshta behavioral1/memory/2580-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2608-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3044-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3016-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1252-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1868-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2828-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2908-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1400-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/872-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/780-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2876-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1624-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7d3-139.dat family_neshta behavioral1/files/0x000100000000f7d8-142.dat family_neshta behavioral1/files/0x000100000000f776-146.dat family_neshta behavioral1/memory/1288-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/660-169-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1864-170-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/840-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3032-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1344-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2108-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2344-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2912-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/788-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2200-226-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/288-229-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2248-230-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1576-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2316-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2788-258-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1856-254-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2600-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1048-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1660-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2068-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/884-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3016-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/856-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1684-318-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1664-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1716-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/308-342-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2008-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1624-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1352-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1672-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2992-374-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2580 svchost.com 2608 7B64D1~1.EXE 3044 svchost.com 2576 7B64D1~1.EXE 2648 svchost.com 3016 7B64D1~1.EXE 1252 svchost.com 1868 7B64D1~1.EXE 2828 svchost.com 2908 7B64D1~1.EXE 1400 svchost.com 872 7B64D1~1.EXE 1624 svchost.com 2544 7B64D1~1.EXE 780 svchost.com 2876 7B64D1~1.EXE 1288 svchost.com 3024 7B64D1~1.EXE 660 svchost.com 1864 7B64D1~1.EXE 840 svchost.com 3032 7B64D1~1.EXE 1344 svchost.com 2108 7B64D1~1.EXE 2912 svchost.com 2344 7B64D1~1.EXE 2200 svchost.com 788 7B64D1~1.EXE 288 svchost.com 2248 7B64D1~1.EXE 2316 svchost.com 1576 7B64D1~1.EXE 2788 svchost.com 1856 7B64D1~1.EXE 2600 svchost.com 1048 7B64D1~1.EXE 2068 svchost.com 1660 7B64D1~1.EXE 3016 svchost.com 884 7B64D1~1.EXE 2880 svchost.com 856 7B64D1~1.EXE 2676 svchost.com 1684 7B64D1~1.EXE 1664 svchost.com 1716 7B64D1~1.EXE 308 svchost.com 2008 7B64D1~1.EXE 1624 svchost.com 2408 7B64D1~1.EXE 1672 svchost.com 1352 7B64D1~1.EXE 1984 svchost.com 2016 7B64D1~1.EXE 2992 svchost.com 340 7B64D1~1.EXE 1280 svchost.com 660 7B64D1~1.EXE 1812 svchost.com 2276 7B64D1~1.EXE 840 svchost.com 1676 7B64D1~1.EXE 1700 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2580 svchost.com 2580 svchost.com 3044 svchost.com 3044 svchost.com 2648 svchost.com 2648 svchost.com 1252 svchost.com 1252 svchost.com 2828 svchost.com 2828 svchost.com 1400 svchost.com 1400 svchost.com 1624 svchost.com 1624 svchost.com 780 svchost.com 780 svchost.com 1288 svchost.com 1288 svchost.com 660 svchost.com 660 svchost.com 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 840 svchost.com 840 svchost.com 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 1344 svchost.com 1344 svchost.com 2912 svchost.com 2912 svchost.com 2200 svchost.com 2200 svchost.com 288 svchost.com 288 svchost.com 2316 svchost.com 2316 svchost.com 2788 svchost.com 2788 svchost.com 2600 svchost.com 2600 svchost.com 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2068 svchost.com 2068 svchost.com 3016 svchost.com 3016 svchost.com 2880 svchost.com 2880 svchost.com 2676 svchost.com 2676 svchost.com 1664 svchost.com 1664 svchost.com 308 svchost.com 308 svchost.com 1624 svchost.com 1624 svchost.com 1672 svchost.com 1672 svchost.com 1984 svchost.com 1984 svchost.com 2992 svchost.com 2992 svchost.com 1280 svchost.com 1280 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2704 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 30 PID 2668 wrote to memory of 2704 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 30 PID 2668 wrote to memory of 2704 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 30 PID 2668 wrote to memory of 2704 2668 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 30 PID 2704 wrote to memory of 2580 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 31 PID 2704 wrote to memory of 2580 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 31 PID 2704 wrote to memory of 2580 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 31 PID 2704 wrote to memory of 2580 2704 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 31 PID 2580 wrote to memory of 2608 2580 svchost.com 32 PID 2580 wrote to memory of 2608 2580 svchost.com 32 PID 2580 wrote to memory of 2608 2580 svchost.com 32 PID 2580 wrote to memory of 2608 2580 svchost.com 32 PID 2608 wrote to memory of 3044 2608 7B64D1~1.EXE 33 PID 2608 wrote to memory of 3044 2608 7B64D1~1.EXE 33 PID 2608 wrote to memory of 3044 2608 7B64D1~1.EXE 33 PID 2608 wrote to memory of 3044 2608 7B64D1~1.EXE 33 PID 3044 wrote to memory of 2576 3044 svchost.com 34 PID 3044 wrote to memory of 2576 3044 svchost.com 34 PID 3044 wrote to memory of 2576 3044 svchost.com 34 PID 3044 wrote to memory of 2576 3044 svchost.com 34 PID 2576 wrote to memory of 2648 2576 7B64D1~1.EXE 35 PID 2576 wrote to memory of 2648 2576 7B64D1~1.EXE 35 PID 2576 wrote to memory of 2648 2576 7B64D1~1.EXE 35 PID 2576 wrote to memory of 2648 2576 7B64D1~1.EXE 35 PID 2648 wrote to memory of 3016 2648 svchost.com 69 PID 2648 wrote to memory of 3016 2648 svchost.com 69 PID 2648 wrote to memory of 3016 2648 svchost.com 69 PID 2648 wrote to memory of 3016 2648 svchost.com 69 PID 3016 wrote to memory of 1252 3016 7B64D1~1.EXE 37 PID 3016 wrote to memory of 1252 3016 7B64D1~1.EXE 37 PID 3016 wrote to memory of 1252 3016 7B64D1~1.EXE 37 PID 3016 wrote to memory of 1252 3016 7B64D1~1.EXE 37 PID 1252 wrote to memory of 1868 1252 svchost.com 38 PID 1252 wrote to memory of 1868 1252 svchost.com 38 PID 1252 wrote to memory of 1868 1252 svchost.com 38 PID 1252 wrote to memory of 1868 1252 svchost.com 38 PID 1868 wrote to memory of 2828 1868 7B64D1~1.EXE 39 PID 1868 wrote to memory of 2828 1868 7B64D1~1.EXE 39 PID 1868 wrote to memory of 2828 1868 7B64D1~1.EXE 39 PID 1868 wrote to memory of 2828 1868 7B64D1~1.EXE 39 PID 2828 wrote to memory of 2908 2828 svchost.com 40 PID 2828 wrote to memory of 2908 2828 svchost.com 40 PID 2828 wrote to memory of 2908 2828 svchost.com 40 PID 2828 wrote to memory of 2908 2828 svchost.com 40 PID 2908 wrote to memory of 1400 2908 7B64D1~1.EXE 41 PID 2908 wrote to memory of 1400 2908 7B64D1~1.EXE 41 PID 2908 wrote to memory of 1400 2908 7B64D1~1.EXE 41 PID 2908 wrote to memory of 1400 2908 7B64D1~1.EXE 41 PID 1400 wrote to memory of 872 1400 svchost.com 42 PID 1400 wrote to memory of 872 1400 svchost.com 42 PID 1400 wrote to memory of 872 1400 svchost.com 42 PID 1400 wrote to memory of 872 1400 svchost.com 42 PID 872 wrote to memory of 1624 872 7B64D1~1.EXE 79 PID 872 wrote to memory of 1624 872 7B64D1~1.EXE 79 PID 872 wrote to memory of 1624 872 7B64D1~1.EXE 79 PID 872 wrote to memory of 1624 872 7B64D1~1.EXE 79 PID 1624 wrote to memory of 2544 1624 svchost.com 44 PID 1624 wrote to memory of 2544 1624 svchost.com 44 PID 1624 wrote to memory of 2544 1624 svchost.com 44 PID 1624 wrote to memory of 2544 1624 svchost.com 44 PID 2544 wrote to memory of 780 2544 7B64D1~1.EXE 45 PID 2544 wrote to memory of 780 2544 7B64D1~1.EXE 45 PID 2544 wrote to memory of 780 2544 7B64D1~1.EXE 45 PID 2544 wrote to memory of 780 2544 7B64D1~1.EXE 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"C:\Users\Admin\AppData\Local\Temp\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:780 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE18⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE22⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE24⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE26⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE30⤵
- Executes dropped EXE
PID:788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:288 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE32⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE34⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE36⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE38⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE40⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE42⤵
- Executes dropped EXE
PID:884 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE44⤵
- Executes dropped EXE
PID:856 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE46⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE48⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE52⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE54⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE58⤵
- Executes dropped EXE
PID:340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE60⤵
- Executes dropped EXE
PID:660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"61⤵
- Executes dropped EXE
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE62⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"63⤵
- Executes dropped EXE
PID:840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"65⤵
- Executes dropped EXE
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE66⤵PID:2460
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"67⤵
- Drops file in Windows directory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE68⤵PID:880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"69⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE70⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"71⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE72⤵PID:2032
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"73⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE74⤵PID:2304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"75⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE76⤵PID:2840
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"77⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE78⤵PID:2788
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"79⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE80⤵PID:2620
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"81⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE82⤵
- Drops file in Windows directory
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"83⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE84⤵PID:2576
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"85⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE86⤵
- Drops file in Windows directory
PID:768 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE88⤵PID:2644
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"89⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE90⤵PID:2000
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE92⤵PID:1380
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"93⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE94⤵PID:1716
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"95⤵
- Drops file in Windows directory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE96⤵
- Drops file in Windows directory
PID:308 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"97⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE98⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"99⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE100⤵PID:1240
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE102⤵PID:1984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"103⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE104⤵PID:1588
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"105⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE106⤵PID:904
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"107⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE108⤵
- Drops file in Windows directory
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"109⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE110⤵PID:700
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"111⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE112⤵PID:1248
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"113⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE114⤵PID:1788
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"115⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE116⤵PID:3068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"117⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE118⤵PID:1196
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"119⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE120⤵PID:2316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"121⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE122⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-