Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 08:49
Behavioral task
behavioral1
Sample
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
Resource
win10v2004-20241007-en
General
-
Target
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe
-
Size
645KB
-
MD5
a4b959543b0e803e5b7b244d8f8dad90
-
SHA1
3c6660ac90c2ba8b17f4dc44c60d0a2d5f1a6ea1
-
SHA256
7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53
-
SHA512
aad9dc90a6e4a3b37a6e70225d854493a5fbeef37a78e08622cc0aaa079a89d4be6266e749aefc28ffc7d617d5c5e4d96aed0e4fb9d7e48f61da026a4d977162
-
SSDEEP
12288:BPNyDPCwn3/oSwpjnVWqqPIBONhxsUbPqYy2wa:LTwgSww/xsUbPO2B
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x000a000000023b68-4.dat family_neshta behavioral2/files/0x000a000000023b69-11.dat family_neshta behavioral2/memory/2348-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3708-20-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5000-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2436-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3720-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1536-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3132-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2116-62-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3732-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1668-68-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1632-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1480-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0004000000020371-89.dat family_neshta behavioral2/files/0x00070000000202ac-93.dat family_neshta behavioral2/files/0x000600000002024c-96.dat family_neshta behavioral2/files/0x0006000000020244-95.dat family_neshta behavioral2/files/0x0004000000020364-103.dat family_neshta behavioral2/memory/3696-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3744-120-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1716-122-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1760-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000200000002033b-136.dat family_neshta behavioral2/files/0x0001000000021507-145.dat family_neshta behavioral2/files/0x0001000000021506-144.dat family_neshta behavioral2/memory/4364-146-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000022f4a-161.dat family_neshta behavioral2/files/0x0001000000022f4e-160.dat family_neshta behavioral2/files/0x00010000000167d4-178.dat family_neshta behavioral2/files/0x00010000000167b9-177.dat family_neshta behavioral2/memory/5048-181-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000100000001680b-176.dat family_neshta behavioral2/files/0x00010000000167ce-187.dat family_neshta behavioral2/files/0x000100000001dc20-197.dat family_neshta behavioral2/files/0x0001000000016922-205.dat family_neshta behavioral2/files/0x000100000001691c-204.dat family_neshta behavioral2/files/0x0001000000016920-203.dat family_neshta behavioral2/memory/1352-218-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4636-198-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4552-221-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000100000001dc14-194.dat family_neshta behavioral2/files/0x000100000001680e-186.dat family_neshta behavioral2/files/0x0001000000022f8d-172.dat family_neshta behavioral2/memory/1496-230-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1228-241-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1628-251-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2176-257-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/816-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1428-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3720-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4460-273-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/436-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4940-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/624-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4556-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3916-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4380-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4944-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3220-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2996-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3696-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4996-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1296-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 7B64D1~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 4816 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 2348 svchost.com 3708 7B64D1~1.EXE 5000 svchost.com 2436 7B64D1~1.EXE 3720 svchost.com 1536 7B64D1~1.EXE 3132 svchost.com 2116 7B64D1~1.EXE 3732 svchost.com 1668 7B64D1~1.EXE 1632 svchost.com 1480 7B64D1~1.EXE 3696 svchost.com 3744 7B64D1~1.EXE 1716 svchost.com 1760 7B64D1~1.EXE 4364 svchost.com 5048 7B64D1~1.EXE 4636 svchost.com 1352 7B64D1~1.EXE 4552 svchost.com 1496 7B64D1~1.EXE 1228 svchost.com 1628 7B64D1~1.EXE 2176 svchost.com 816 7B64D1~1.EXE 1428 svchost.com 3720 7B64D1~1.EXE 4460 svchost.com 436 7B64D1~1.EXE 4940 svchost.com 624 7B64D1~1.EXE 4556 svchost.com 3916 7B64D1~1.EXE 4380 svchost.com 4944 7B64D1~1.EXE 3220 svchost.com 2996 7B64D1~1.EXE 3696 svchost.com 4996 7B64D1~1.EXE 1296 svchost.com 3548 7B64D1~1.EXE 2460 svchost.com 1476 7B64D1~1.EXE 3556 svchost.com 4144 7B64D1~1.EXE 2856 svchost.com 1732 7B64D1~1.EXE 5028 svchost.com 2628 7B64D1~1.EXE 5064 svchost.com 4476 7B64D1~1.EXE 2100 svchost.com 2732 7B64D1~1.EXE 4512 svchost.com 2144 7B64D1~1.EXE 3368 svchost.com 64 7B64D1~1.EXE 5032 svchost.com 2436 7B64D1~1.EXE 2620 svchost.com 1312 7B64D1~1.EXE 2312 svchost.com -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7B64D1~1.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 7B64D1~1.EXE File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 7B64D1~1.EXE File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7B64D1~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7B64D1~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 7B64D1~1.EXE File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE File opened for modification C:\Windows\svchost.com 7B64D1~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7B64D1~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 7B64D1~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4816 3028 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 84 PID 3028 wrote to memory of 4816 3028 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 84 PID 3028 wrote to memory of 4816 3028 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 84 PID 4816 wrote to memory of 2348 4816 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 85 PID 4816 wrote to memory of 2348 4816 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 85 PID 4816 wrote to memory of 2348 4816 7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe 85 PID 2348 wrote to memory of 3708 2348 svchost.com 86 PID 2348 wrote to memory of 3708 2348 svchost.com 86 PID 2348 wrote to memory of 3708 2348 svchost.com 86 PID 3708 wrote to memory of 5000 3708 7B64D1~1.EXE 87 PID 3708 wrote to memory of 5000 3708 7B64D1~1.EXE 87 PID 3708 wrote to memory of 5000 3708 7B64D1~1.EXE 87 PID 5000 wrote to memory of 2436 5000 svchost.com 88 PID 5000 wrote to memory of 2436 5000 svchost.com 88 PID 5000 wrote to memory of 2436 5000 svchost.com 88 PID 2436 wrote to memory of 3720 2436 7B64D1~1.EXE 112 PID 2436 wrote to memory of 3720 2436 7B64D1~1.EXE 112 PID 2436 wrote to memory of 3720 2436 7B64D1~1.EXE 112 PID 3720 wrote to memory of 1536 3720 svchost.com 90 PID 3720 wrote to memory of 1536 3720 svchost.com 90 PID 3720 wrote to memory of 1536 3720 svchost.com 90 PID 1536 wrote to memory of 3132 1536 7B64D1~1.EXE 91 PID 1536 wrote to memory of 3132 1536 7B64D1~1.EXE 91 PID 1536 wrote to memory of 3132 1536 7B64D1~1.EXE 91 PID 3132 wrote to memory of 2116 3132 svchost.com 92 PID 3132 wrote to memory of 2116 3132 svchost.com 92 PID 3132 wrote to memory of 2116 3132 svchost.com 92 PID 2116 wrote to memory of 3732 2116 7B64D1~1.EXE 93 PID 2116 wrote to memory of 3732 2116 7B64D1~1.EXE 93 PID 2116 wrote to memory of 3732 2116 7B64D1~1.EXE 93 PID 3732 wrote to memory of 1668 3732 svchost.com 94 PID 3732 wrote to memory of 1668 3732 svchost.com 94 PID 3732 wrote to memory of 1668 3732 svchost.com 94 PID 1668 wrote to memory of 1632 1668 7B64D1~1.EXE 95 PID 1668 wrote to memory of 1632 1668 7B64D1~1.EXE 95 PID 1668 wrote to memory of 1632 1668 7B64D1~1.EXE 95 PID 1632 wrote to memory of 1480 1632 svchost.com 96 PID 1632 wrote to memory of 1480 1632 svchost.com 96 PID 1632 wrote to memory of 1480 1632 svchost.com 96 PID 1480 wrote to memory of 3696 1480 7B64D1~1.EXE 123 PID 1480 wrote to memory of 3696 1480 7B64D1~1.EXE 123 PID 1480 wrote to memory of 3696 1480 7B64D1~1.EXE 123 PID 3696 wrote to memory of 3744 3696 svchost.com 98 PID 3696 wrote to memory of 3744 3696 svchost.com 98 PID 3696 wrote to memory of 3744 3696 svchost.com 98 PID 3744 wrote to memory of 1716 3744 7B64D1~1.EXE 99 PID 3744 wrote to memory of 1716 3744 7B64D1~1.EXE 99 PID 3744 wrote to memory of 1716 3744 7B64D1~1.EXE 99 PID 1716 wrote to memory of 1760 1716 svchost.com 100 PID 1716 wrote to memory of 1760 1716 svchost.com 100 PID 1716 wrote to memory of 1760 1716 svchost.com 100 PID 1760 wrote to memory of 4364 1760 7B64D1~1.EXE 101 PID 1760 wrote to memory of 4364 1760 7B64D1~1.EXE 101 PID 1760 wrote to memory of 4364 1760 7B64D1~1.EXE 101 PID 4364 wrote to memory of 5048 4364 svchost.com 165 PID 4364 wrote to memory of 5048 4364 svchost.com 165 PID 4364 wrote to memory of 5048 4364 svchost.com 165 PID 5048 wrote to memory of 4636 5048 7B64D1~1.EXE 166 PID 5048 wrote to memory of 4636 5048 7B64D1~1.EXE 166 PID 5048 wrote to memory of 4636 5048 7B64D1~1.EXE 166 PID 4636 wrote to memory of 1352 4636 svchost.com 104 PID 4636 wrote to memory of 1352 4636 svchost.com 104 PID 4636 wrote to memory of 1352 4636 svchost.com 104 PID 1352 wrote to memory of 4552 1352 7B64D1~1.EXE 171
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"C:\Users\Admin\AppData\Local\Temp\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7b64d1b54835c47b246669104c75ff2031f28047e196fd31bf9609ae4cd78c53N.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
PID:1496 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"25⤵
- Executes dropped EXE
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"27⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"29⤵
- Executes dropped EXE
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE30⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"31⤵
- Executes dropped EXE
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"33⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE34⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE36⤵
- Executes dropped EXE
- Modifies registry class
PID:3916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"37⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
PID:4944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"39⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE42⤵
- Executes dropped EXE
- Modifies registry class
PID:4996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"43⤵
- Executes dropped EXE
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"45⤵
- Executes dropped EXE
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE46⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"47⤵
- Executes dropped EXE
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
PID:4144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE50⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"51⤵
- Executes dropped EXE
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE52⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"53⤵
- Executes dropped EXE
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE54⤵
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"55⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE56⤵
- Checks computer location settings
- Executes dropped EXE
PID:2732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"57⤵
- Executes dropped EXE
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE58⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"59⤵
- Executes dropped EXE
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:64 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"61⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE62⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE64⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE66⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"67⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE68⤵PID:3444
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE70⤵PID:3856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"71⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE72⤵PID:1660
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"73⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE74⤵PID:3692
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE76⤵PID:2880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"77⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE78⤵PID:4908
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"79⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE80⤵
- Modifies registry class
PID:4028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"81⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE82⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"83⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE84⤵PID:4636
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"85⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE86⤵
- Checks computer location settings
PID:4800 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"87⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE88⤵
- Drops file in Windows directory
- Modifies registry class
PID:2264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"89⤵
- Drops file in Windows directory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE90⤵
- Drops file in Windows directory
- Modifies registry class
PID:4472 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE92⤵PID:3192
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"93⤵
- Drops file in Windows directory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE94⤵PID:2148
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"95⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE96⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1168 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"97⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE98⤵
- Checks computer location settings
- Modifies registry class
PID:1932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"99⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE100⤵
- Checks computer location settings
PID:2200 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"101⤵
- Drops file in Windows directory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE102⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
PID:1900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"103⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE104⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"105⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE106⤵
- Checks computer location settings
PID:4372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"107⤵
- Drops file in Windows directory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE108⤵
- Checks computer location settings
PID:8 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"109⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE110⤵
- Checks computer location settings
PID:1992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"111⤵
- Drops file in Windows directory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE112⤵PID:2980
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"113⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE114⤵
- Checks computer location settings
PID:3744 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"115⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE116⤵
- Modifies registry class
PID:372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"117⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE118⤵PID:2752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"119⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE120⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE"121⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\7B64D1~1.EXE122⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-