Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
e764564f35f8233b9a264792674887d2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e764564f35f8233b9a264792674887d2_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e764564f35f8233b9a264792674887d2_JaffaCakes118.exe
-
Size
358KB
-
MD5
e764564f35f8233b9a264792674887d2
-
SHA1
33d8520e18644a762f0529c6e00365677d0067d5
-
SHA256
e9acddb4747d00754ab52d6590305ab5c3ba9ba6e849a7415e292a77479afa02
-
SHA512
59c09d88e4cd369472862023a17ca81d7f2f3671dc4a49ba4605346da32b0faf5761290b2cea1f30090a5130c8bf0293d87710375920e067540894e20f5fa435
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrpdF48rAkGR1ObhB7BL6SoOQ48AtBloP+aP1OeUeRUqO:jaw88ckW1a7BLZ8h+0EeLadeW
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0007000000016d6d-8.dat family_neshta behavioral1/files/0x00080000000171a8-46.dat family_neshta behavioral1/files/0x00080000000173a9-49.dat family_neshta behavioral1/files/0x0001000000010738-55.dat family_neshta behavioral1/files/0x0001000000010312-56.dat family_neshta behavioral1/files/0x0001000000010314-57.dat family_neshta behavioral1/memory/2808-67-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1448-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2628-81-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2164-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2516-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3028-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2972-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2840-109-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-122-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3012-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1824-137-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1408-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/796-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2080-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1480-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1516-167-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2176-166-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1752-183-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1492-182-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1184-196-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2200-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2336-213-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2456-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1972-225-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1628-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1740-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2856-236-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1292-253-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2372-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1272-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2884-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2540-277-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2916-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1276-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2836-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1448-306-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2228-326-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2680-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1808-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2812-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2972-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1736-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1652-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2700-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1148-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1756-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1824-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1772-388-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2304-387-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/796-396-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/440-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/960-404-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3056-403-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1360-411-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/612-412-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2572 svchost.exe 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2180 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2872 svchost.exe 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2896 svchost.exe 1448 svchost.com 2808 E76456~1.EXE 2628 svchost.com 2164 E76456~1.EXE 2516 svchost.com 3028 E76456~1.EXE 2840 svchost.com 2972 E76456~1.EXE 3008 svchost.com 3012 E76456~1.EXE 1824 svchost.com 1408 E76456~1.EXE 2080 svchost.com 796 E76456~1.EXE 1480 svchost.com 3064 E76456~1.EXE 2176 svchost.com 1516 E76456~1.EXE 1492 svchost.com 1752 E76456~1.EXE 2200 svchost.com 1184 E76456~1.EXE 2336 svchost.com 2456 E76456~1.EXE 1972 svchost.com 1628 E76456~1.EXE 2856 svchost.com 1740 E76456~1.EXE 3024 svchost.com 1292 E76456~1.EXE 1272 svchost.com 2372 E76456~1.EXE 2540 svchost.com 2884 E76456~1.EXE 2916 svchost.com 1276 E76456~1.EXE 2836 svchost.com 1448 E76456~1.EXE 2676 svchost.com 2228 E76456~1.EXE 1808 svchost.com 2680 E76456~1.EXE 2812 svchost.com 2972 E76456~1.EXE 1652 svchost.com 1736 E76456~1.EXE 2700 svchost.com 1148 E76456~1.EXE 1824 svchost.com 1756 E76456~1.EXE 1772 svchost.com 2304 E76456~1.EXE 796 svchost.com 440 E76456~1.EXE 3056 svchost.com 960 E76456~1.EXE 1360 svchost.com 612 E76456~1.EXE -
Loads dropped DLL 64 IoCs
pid Process 2572 svchost.exe 2572 svchost.exe 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2872 svchost.exe 2872 svchost.exe 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 1448 svchost.com 1448 svchost.com 2628 svchost.com 2628 svchost.com 2516 svchost.com 2516 svchost.com 2840 svchost.com 2840 svchost.com 3008 svchost.com 3008 svchost.com 1824 svchost.com 1824 svchost.com 2080 svchost.com 2080 svchost.com 1480 svchost.com 1480 svchost.com 2176 svchost.com 2176 svchost.com 1492 svchost.com 1492 svchost.com 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 2200 svchost.com 2200 svchost.com 2336 svchost.com 2336 svchost.com 1972 svchost.com 1972 svchost.com 2856 svchost.com 2856 svchost.com 3024 svchost.com 3024 svchost.com 1272 svchost.com 1272 svchost.com 2540 svchost.com 2540 svchost.com 2916 svchost.com 2916 svchost.com 2836 svchost.com 2836 svchost.com 2676 svchost.com 2676 svchost.com 1808 svchost.com 1808 svchost.com 2812 svchost.com 2812 svchost.com 1652 svchost.com 1652 svchost.com 2700 svchost.com 2700 svchost.com 1824 svchost.com 1824 svchost.com 1772 svchost.com 1772 svchost.com 796 svchost.com 796 svchost.com 3056 svchost.com 3056 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" e764564f35f8233b9a264792674887d2_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE e764564f35f8233b9a264792674887d2_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com E76456~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E76456~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" e764564f35f8233b9a264792674887d2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 860 wrote to memory of 2572 860 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 30 PID 860 wrote to memory of 2572 860 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 30 PID 860 wrote to memory of 2572 860 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 30 PID 860 wrote to memory of 2572 860 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2428 2572 svchost.exe 31 PID 2572 wrote to memory of 2428 2572 svchost.exe 31 PID 2572 wrote to memory of 2428 2572 svchost.exe 31 PID 2572 wrote to memory of 2428 2572 svchost.exe 31 PID 2428 wrote to memory of 2180 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2180 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2180 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2180 2428 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 32 PID 2180 wrote to memory of 2872 2180 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2872 2180 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2872 2180 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 33 PID 2180 wrote to memory of 2872 2180 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 33 PID 2872 wrote to memory of 3048 2872 svchost.exe 34 PID 2872 wrote to memory of 3048 2872 svchost.exe 34 PID 2872 wrote to memory of 3048 2872 svchost.exe 34 PID 2872 wrote to memory of 3048 2872 svchost.exe 34 PID 3048 wrote to memory of 1448 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 36 PID 3048 wrote to memory of 1448 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 36 PID 3048 wrote to memory of 1448 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 36 PID 3048 wrote to memory of 1448 3048 e764564f35f8233b9a264792674887d2_JaffaCakes118.exe 36 PID 1448 wrote to memory of 2808 1448 svchost.com 37 PID 1448 wrote to memory of 2808 1448 svchost.com 37 PID 1448 wrote to memory of 2808 1448 svchost.com 37 PID 1448 wrote to memory of 2808 1448 svchost.com 37 PID 2808 wrote to memory of 2628 2808 E76456~1.EXE 38 PID 2808 wrote to memory of 2628 2808 E76456~1.EXE 38 PID 2808 wrote to memory of 2628 2808 E76456~1.EXE 38 PID 2808 wrote to memory of 2628 2808 E76456~1.EXE 38 PID 2628 wrote to memory of 2164 2628 svchost.com 39 PID 2628 wrote to memory of 2164 2628 svchost.com 39 PID 2628 wrote to memory of 2164 2628 svchost.com 39 PID 2628 wrote to memory of 2164 2628 svchost.com 39 PID 2164 wrote to memory of 2516 2164 E76456~1.EXE 40 PID 2164 wrote to memory of 2516 2164 E76456~1.EXE 40 PID 2164 wrote to memory of 2516 2164 E76456~1.EXE 40 PID 2164 wrote to memory of 2516 2164 E76456~1.EXE 40 PID 2516 wrote to memory of 3028 2516 svchost.com 41 PID 2516 wrote to memory of 3028 2516 svchost.com 41 PID 2516 wrote to memory of 3028 2516 svchost.com 41 PID 2516 wrote to memory of 3028 2516 svchost.com 41 PID 3028 wrote to memory of 2840 3028 E76456~1.EXE 42 PID 3028 wrote to memory of 2840 3028 E76456~1.EXE 42 PID 3028 wrote to memory of 2840 3028 E76456~1.EXE 42 PID 3028 wrote to memory of 2840 3028 E76456~1.EXE 42 PID 2840 wrote to memory of 2972 2840 svchost.com 79 PID 2840 wrote to memory of 2972 2840 svchost.com 79 PID 2840 wrote to memory of 2972 2840 svchost.com 79 PID 2840 wrote to memory of 2972 2840 svchost.com 79 PID 2972 wrote to memory of 3008 2972 E76456~1.EXE 44 PID 2972 wrote to memory of 3008 2972 E76456~1.EXE 44 PID 2972 wrote to memory of 3008 2972 E76456~1.EXE 44 PID 2972 wrote to memory of 3008 2972 E76456~1.EXE 44 PID 3008 wrote to memory of 3012 3008 svchost.com 45 PID 3008 wrote to memory of 3012 3008 svchost.com 45 PID 3008 wrote to memory of 3012 3008 svchost.com 45 PID 3008 wrote to memory of 3012 3008 svchost.com 45 PID 3012 wrote to memory of 1824 3012 E76456~1.EXE 84 PID 3012 wrote to memory of 1824 3012 E76456~1.EXE 84 PID 3012 wrote to memory of 1824 3012 E76456~1.EXE 84 PID 3012 wrote to memory of 1824 3012 E76456~1.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\e764564f35f8233b9a264792674887d2_JaffaCakes118.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE18⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE20⤵
- Executes dropped EXE
PID:796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE22⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE24⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE26⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE28⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2456 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE32⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE36⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE40⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE42⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE44⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE46⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE54⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE56⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE58⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE62⤵
- Executes dropped EXE
PID:960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"63⤵
- Executes dropped EXE
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE64⤵
- Executes dropped EXE
PID:612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"65⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE66⤵PID:1852
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"67⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE68⤵PID:880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"69⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE70⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"71⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE72⤵PID:2356
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"73⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE74⤵PID:1984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"75⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE76⤵PID:1052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"77⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE78⤵PID:1776
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"79⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE80⤵PID:2396
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"81⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE82⤵PID:2104
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"83⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE84⤵PID:2768
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"85⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE86⤵PID:2876
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"87⤵
- Drops file in Windows directory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE88⤵PID:2608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"89⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE90⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"91⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE92⤵PID:2164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"93⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE94⤵PID:1916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"95⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE96⤵PID:2832
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"97⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE98⤵PID:2964
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"99⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE100⤵PID:3008
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"101⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE102⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"103⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE104⤵
- Drops file in Windows directory
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"105⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE106⤵PID:1824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"107⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE108⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"109⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE110⤵PID:2580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"111⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE112⤵PID:1956
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"113⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE114⤵PID:1752
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"115⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE116⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"117⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE118⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"119⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE120⤵PID:772
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE"121⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\E76456~1.EXE122⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-