Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 04:50
Behavioral task
behavioral1
Sample
d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe
Resource
win10v2004-20241007-en
General
-
Target
d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe
-
Size
2.8MB
-
MD5
b7e569219db434b23bb91d26d8789880
-
SHA1
3e46f441aa57de2707e1fb0befbef374f3a2f4f7
-
SHA256
d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2b
-
SHA512
953e37f82e6125f8fca2e134996d8cfcd3d3b2ddff2cb9549782fbba863ac7800b509cc27e5c21480c99db985db2946df9130315b2eceb7734e2c6d7e184dc04
-
SSDEEP
49152:tu/L1BdnH/DzQhVavU6MAkztpCv/qiFJ8gTDkv3uQ1ip1SZGwTPRBh5GTfLde8+w:+1xzM13yAB8LktOTfJsv6tWKFdu9C
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x000b000000023b64-4.dat family_neshta behavioral2/files/0x000a000000023b69-10.dat family_neshta behavioral2/memory/1088-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3188-26-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2148-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1100-38-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3252-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1336-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4884-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5104-56-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3436-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4556-68-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4380-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0004000000020371-81.dat family_neshta behavioral2/memory/720-83-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0006000000020240-97.dat family_neshta behavioral2/files/0x000600000002024c-96.dat family_neshta behavioral2/files/0x0006000000020244-95.dat family_neshta behavioral2/files/0x00010000000202bd-106.dat family_neshta behavioral2/files/0x0004000000020376-105.dat family_neshta behavioral2/files/0x00070000000202ac-94.dat family_neshta behavioral2/files/0x0001000000021506-123.dat family_neshta behavioral2/files/0x0001000000022602-122.dat family_neshta behavioral2/files/0x0001000000021507-126.dat family_neshta behavioral2/files/0x000100000002155e-119.dat family_neshta behavioral2/files/0x0001000000022f4a-131.dat family_neshta behavioral2/files/0x0001000000022f4f-136.dat family_neshta behavioral2/files/0x00010000000167d2-148.dat family_neshta behavioral2/files/0x000100000001dc14-162.dat family_neshta behavioral2/files/0x00010000000167cc-160.dat family_neshta behavioral2/files/0x0001000000022e8f-176.dat family_neshta behavioral2/files/0x0001000000016920-174.dat family_neshta behavioral2/files/0x00010000000167f3-157.dat family_neshta behavioral2/files/0x00010000000167ce-156.dat family_neshta behavioral2/files/0x000100000001680e-155.dat family_neshta behavioral2/files/0x00010000000167d4-147.dat family_neshta behavioral2/files/0x00010000000167b9-146.dat family_neshta behavioral2/files/0x000100000001680b-145.dat family_neshta behavioral2/memory/3808-140-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000200000002033b-118.dat family_neshta behavioral2/files/0x0008000000020265-117.dat family_neshta behavioral2/files/0x0006000000020263-116.dat family_neshta behavioral2/files/0x000a00000001e7fa-208.dat family_neshta behavioral2/files/0x000500000001e0bf-214.dat family_neshta behavioral2/files/0x000b00000001edfc-207.dat family_neshta behavioral2/files/0x000500000001e8b9-206.dat family_neshta behavioral2/files/0x00020000000215f6-199.dat family_neshta behavioral2/files/0x000200000000072d-198.dat family_neshta behavioral2/memory/4616-218-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1548-219-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4216-221-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4476-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/688-233-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4516-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4284-236-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3708-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1948-249-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2176-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2144-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1536-258-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4316-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3960-266-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1336-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2528-274-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation D6A71B~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 4472 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 1088 svchost.com 3188 D6A71B~1.EXE 2148 svchost.com 1100 D6A71B~1.EXE 3252 svchost.com 1336 D6A71B~1.EXE 4884 svchost.com 5104 D6A71B~1.EXE 3436 svchost.com 4556 D6A71B~1.EXE 4380 svchost.com 720 D6A71B~1.EXE 3808 svchost.com 4616 D6A71B~1.EXE 1548 svchost.com 4216 D6A71B~1.EXE 4476 svchost.com 688 D6A71B~1.EXE 4516 svchost.com 4284 D6A71B~1.EXE 3708 svchost.com 1948 D6A71B~1.EXE 2176 svchost.com 2144 D6A71B~1.EXE 1536 svchost.com 4316 D6A71B~1.EXE 3960 svchost.com 1336 D6A71B~1.EXE 2528 svchost.com 3480 D6A71B~1.EXE 2400 svchost.com 3184 D6A71B~1.EXE 4820 svchost.com 3812 D6A71B~1.EXE 3064 svchost.com 2860 D6A71B~1.EXE 2488 svchost.com 4464 D6A71B~1.EXE 4544 svchost.com 3808 D6A71B~1.EXE 2460 svchost.com 2256 D6A71B~1.EXE 4176 svchost.com 3156 D6A71B~1.EXE 3656 svchost.com 3680 D6A71B~1.EXE 2888 svchost.com 632 D6A71B~1.EXE 1548 svchost.com 3312 D6A71B~1.EXE 3492 svchost.com 3260 D6A71B~1.EXE 4516 svchost.com 1728 D6A71B~1.EXE 2424 svchost.com 2140 D6A71B~1.EXE 516 svchost.com 1452 D6A71B~1.EXE 4788 svchost.com 2560 D6A71B~1.EXE 4400 svchost.com 4036 D6A71B~1.EXE 232 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\svchost.com D6A71B~1.EXE File opened for modification C:\Windows\directx.sys D6A71B~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D6A71B~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D6A71B~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings D6A71B~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4472 3028 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 84 PID 3028 wrote to memory of 4472 3028 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 84 PID 3028 wrote to memory of 4472 3028 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 84 PID 4472 wrote to memory of 1088 4472 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 85 PID 4472 wrote to memory of 1088 4472 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 85 PID 4472 wrote to memory of 1088 4472 d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe 85 PID 1088 wrote to memory of 3188 1088 svchost.com 86 PID 1088 wrote to memory of 3188 1088 svchost.com 86 PID 1088 wrote to memory of 3188 1088 svchost.com 86 PID 3188 wrote to memory of 2148 3188 D6A71B~1.EXE 87 PID 3188 wrote to memory of 2148 3188 D6A71B~1.EXE 87 PID 3188 wrote to memory of 2148 3188 D6A71B~1.EXE 87 PID 2148 wrote to memory of 1100 2148 svchost.com 88 PID 2148 wrote to memory of 1100 2148 svchost.com 88 PID 2148 wrote to memory of 1100 2148 svchost.com 88 PID 1100 wrote to memory of 3252 1100 D6A71B~1.EXE 89 PID 1100 wrote to memory of 3252 1100 D6A71B~1.EXE 89 PID 1100 wrote to memory of 3252 1100 D6A71B~1.EXE 89 PID 3252 wrote to memory of 1336 3252 svchost.com 112 PID 3252 wrote to memory of 1336 3252 svchost.com 112 PID 3252 wrote to memory of 1336 3252 svchost.com 112 PID 1336 wrote to memory of 4884 1336 D6A71B~1.EXE 91 PID 1336 wrote to memory of 4884 1336 D6A71B~1.EXE 91 PID 1336 wrote to memory of 4884 1336 D6A71B~1.EXE 91 PID 4884 wrote to memory of 5104 4884 svchost.com 92 PID 4884 wrote to memory of 5104 4884 svchost.com 92 PID 4884 wrote to memory of 5104 4884 svchost.com 92 PID 5104 wrote to memory of 3436 5104 D6A71B~1.EXE 93 PID 5104 wrote to memory of 3436 5104 D6A71B~1.EXE 93 PID 5104 wrote to memory of 3436 5104 D6A71B~1.EXE 93 PID 3436 wrote to memory of 4556 3436 svchost.com 94 PID 3436 wrote to memory of 4556 3436 svchost.com 94 PID 3436 wrote to memory of 4556 3436 svchost.com 94 PID 4556 wrote to memory of 4380 4556 D6A71B~1.EXE 95 PID 4556 wrote to memory of 4380 4556 D6A71B~1.EXE 95 PID 4556 wrote to memory of 4380 4556 D6A71B~1.EXE 95 PID 4380 wrote to memory of 720 4380 svchost.com 96 PID 4380 wrote to memory of 720 4380 svchost.com 96 PID 4380 wrote to memory of 720 4380 svchost.com 96 PID 720 wrote to memory of 3808 720 D6A71B~1.EXE 124 PID 720 wrote to memory of 3808 720 D6A71B~1.EXE 124 PID 720 wrote to memory of 3808 720 D6A71B~1.EXE 124 PID 3808 wrote to memory of 4616 3808 svchost.com 98 PID 3808 wrote to memory of 4616 3808 svchost.com 98 PID 3808 wrote to memory of 4616 3808 svchost.com 98 PID 4616 wrote to memory of 1548 4616 D6A71B~1.EXE 133 PID 4616 wrote to memory of 1548 4616 D6A71B~1.EXE 133 PID 4616 wrote to memory of 1548 4616 D6A71B~1.EXE 133 PID 1548 wrote to memory of 4216 1548 svchost.com 100 PID 1548 wrote to memory of 4216 1548 svchost.com 100 PID 1548 wrote to memory of 4216 1548 svchost.com 100 PID 4216 wrote to memory of 4476 4216 D6A71B~1.EXE 101 PID 4216 wrote to memory of 4476 4216 D6A71B~1.EXE 101 PID 4216 wrote to memory of 4476 4216 D6A71B~1.EXE 101 PID 4476 wrote to memory of 688 4476 svchost.com 102 PID 4476 wrote to memory of 688 4476 svchost.com 102 PID 4476 wrote to memory of 688 4476 svchost.com 102 PID 688 wrote to memory of 4516 688 D6A71B~1.EXE 137 PID 688 wrote to memory of 4516 688 D6A71B~1.EXE 137 PID 688 wrote to memory of 4516 688 D6A71B~1.EXE 137 PID 4516 wrote to memory of 4284 4516 svchost.com 214 PID 4516 wrote to memory of 4284 4516 svchost.com 214 PID 4516 wrote to memory of 4284 4516 svchost.com 214 PID 4284 wrote to memory of 3708 4284 D6A71B~1.EXE 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe"C:\Users\Admin\AppData\Local\Temp\d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d6a71bae2967f1b58b1a552d0905d05e7ce84e3c189cf10911107ad573d70f2bN.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"23⤵
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE24⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"25⤵
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE28⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE30⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE32⤵
- Executes dropped EXE
- Modifies registry class
PID:3480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"33⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3184 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE36⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"39⤵
- Executes dropped EXE
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE40⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"41⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"43⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE44⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"45⤵
- Executes dropped EXE
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE46⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"49⤵
- Executes dropped EXE
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
PID:632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"51⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE52⤵
- Executes dropped EXE
- Modifies registry class
PID:3312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE54⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE56⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"57⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE58⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"59⤵
- Executes dropped EXE
PID:516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE60⤵
- Checks computer location settings
- Executes dropped EXE
PID:1452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"61⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2560 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"63⤵
- Executes dropped EXE
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"65⤵
- Executes dropped EXE
PID:232 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE66⤵
- Checks computer location settings
PID:4808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"67⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE68⤵PID:4776
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"69⤵
- Drops file in Windows directory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE70⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"71⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE72⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"73⤵
- Drops file in Windows directory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE74⤵
- Modifies registry class
PID:4364 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"75⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE76⤵
- Modifies registry class
PID:396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"77⤵
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE78⤵
- Drops file in Windows directory
- Modifies registry class
PID:852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"79⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE80⤵
- Checks computer location settings
- Modifies registry class
PID:1920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"81⤵
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE82⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"83⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE84⤵PID:1308
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"85⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE86⤵
- Checks computer location settings
PID:4908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"87⤵
- Drops file in Windows directory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE88⤵PID:3312
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"89⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE90⤵
- Checks computer location settings
- Modifies registry class
PID:3148 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"91⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE92⤵
- Checks computer location settings
- Modifies registry class
PID:1492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"93⤵
- Drops file in Windows directory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE94⤵
- Checks computer location settings
- Modifies registry class
PID:3604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"95⤵
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE96⤵
- Modifies registry class
PID:3368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"97⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE98⤵
- Checks computer location settings
- Modifies registry class
PID:3196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"99⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE100⤵
- Checks computer location settings
- Modifies registry class
PID:1280 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"101⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"103⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE104⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"105⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE106⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"107⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE108⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"109⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE110⤵
- Drops file in Windows directory
- Modifies registry class
PID:1096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"111⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE112⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"113⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE114⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"115⤵
- Drops file in Windows directory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE116⤵
- Checks computer location settings
- Modifies registry class
PID:3924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"117⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE118⤵PID:3012
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"119⤵
- Drops file in Windows directory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE120⤵
- Modifies registry class
PID:2120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE"121⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D6A71B~1.EXE122⤵
- Checks computer location settings
- Modifies registry class
PID:3912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-