Analysis
-
max time kernel
110s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 08:18
Behavioral task
behavioral1
Sample
f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe
Resource
win10v2004-20241007-en
General
-
Target
f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe
-
Size
4.0MB
-
MD5
b74870add31c96ba25ccc10ea42f8dd0
-
SHA1
ec768f12f7bb8446cfeec207e73224cd42e8ed45
-
SHA256
f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118
-
SHA512
1e1816d1fd2a6c1e1525a57439aaf0549b720e0dabfeb7d6584054f2d8c705e40e5294836ab6164b6f9b0504209ab6679a28b63f40140fa5e67148612fd7a27c
-
SSDEEP
49152:vDKt5jqtb72StuLh5cyqHo+oDc+HTst7R39JM9wWAToTCN7x/:L5KLhvN+ooV3ASWQ71
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0008000000023cad-4.dat family_neshta behavioral2/files/0x0007000000023cb2-10.dat family_neshta behavioral2/memory/4756-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3276-27-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/880-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/524-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1348-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3052-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0004000000020343-53.dat family_neshta behavioral2/files/0x0006000000020216-57.dat family_neshta behavioral2/files/0x00010000000202a7-69.dat family_neshta behavioral2/memory/4000-78-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/760-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2068-92-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3504-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2152-103-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1612-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000214da-128.dat family_neshta behavioral2/files/0x00010000000214d9-127.dat family_neshta behavioral2/files/0x00010000000214d8-126.dat family_neshta behavioral2/files/0x0001000000022f6b-142.dat family_neshta behavioral2/files/0x0001000000022f6d-141.dat family_neshta behavioral2/files/0x0001000000022f2c-140.dat family_neshta behavioral2/files/0x00010000000167e8-155.dat family_neshta behavioral2/files/0x000100000001dbd1-158.dat family_neshta behavioral2/files/0x0001000000016971-172.dat family_neshta behavioral2/files/0x0001000000022e68-175.dat family_neshta behavioral2/files/0x0001000000016918-173.dat family_neshta behavioral2/files/0x000100000001691a-166.dat family_neshta behavioral2/files/0x0001000000022f2f-139.dat family_neshta behavioral2/files/0x0001000000022f6c-138.dat family_neshta behavioral2/files/0x000400000001e6aa-189.dat family_neshta behavioral2/files/0x000300000001e876-183.dat family_neshta behavioral2/files/0x000600000001e5d1-182.dat family_neshta behavioral2/memory/2336-207-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1656-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1888-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000228e4-223.dat family_neshta behavioral2/files/0x0002000000022760-225.dat family_neshta behavioral2/memory/4148-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4980-196-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2728-238-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000200000000072d-241.dat family_neshta behavioral2/memory/3448-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3588-249-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3512-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3716-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4968-258-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1128-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3404-266-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2180-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4120-274-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4236-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1400-282-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/676-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1512-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3008-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2780-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5060-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2680-306-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4000-308-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/464-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5080-316-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4428-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation F095ED~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 1752 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 4756 svchost.com 3276 F095ED~1.EXE 880 svchost.com 524 F095ED~1.EXE 1348 svchost.com 3052 F095ED~1.EXE 4000 svchost.com 760 F095ED~1.EXE 2068 svchost.com 3504 F095ED~1.EXE 2152 svchost.com 1612 F095ED~1.EXE 4980 svchost.com 2336 F095ED~1.EXE 1656 svchost.com 1888 F095ED~1.EXE 4148 svchost.com 2728 F095ED~1.EXE 3448 svchost.com 3588 F095ED~1.EXE 3512 svchost.com 3716 F095ED~1.EXE 4968 svchost.com 1128 F095ED~1.EXE 3404 svchost.com 2180 F095ED~1.EXE 4120 svchost.com 4236 F095ED~1.EXE 1400 svchost.com 676 F095ED~1.EXE 1512 svchost.com 3008 F095ED~1.EXE 2780 svchost.com 5060 F095ED~1.EXE 2680 svchost.com 4000 F095ED~1.EXE 464 svchost.com 5080 F095ED~1.EXE 4428 svchost.com 2388 F095ED~1.EXE 2460 svchost.com 3376 F095ED~1.EXE 2468 svchost.com 1500 F095ED~1.EXE 3148 svchost.com 4520 F095ED~1.EXE 4368 svchost.com 1256 F095ED~1.EXE 2876 svchost.com 1484 F095ED~1.EXE 4156 svchost.com 3196 F095ED~1.EXE 5112 svchost.com 1728 F095ED~1.EXE 4652 svchost.com 2120 F095ED~1.EXE 660 svchost.com 2996 F095ED~1.EXE 3332 svchost.com 5048 F095ED~1.EXE 3716 svchost.com 4968 F095ED~1.EXE 3864 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys F095ED~1.EXE File opened for modification C:\Windows\directx.sys F095ED~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F095ED~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings F095ED~1.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1132 F095ED~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1752 1996 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 83 PID 1996 wrote to memory of 1752 1996 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 83 PID 1996 wrote to memory of 1752 1996 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 83 PID 1752 wrote to memory of 4756 1752 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 84 PID 1752 wrote to memory of 4756 1752 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 84 PID 1752 wrote to memory of 4756 1752 f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe 84 PID 4756 wrote to memory of 3276 4756 svchost.com 85 PID 4756 wrote to memory of 3276 4756 svchost.com 85 PID 4756 wrote to memory of 3276 4756 svchost.com 85 PID 3276 wrote to memory of 880 3276 F095ED~1.EXE 86 PID 3276 wrote to memory of 880 3276 F095ED~1.EXE 86 PID 3276 wrote to memory of 880 3276 F095ED~1.EXE 86 PID 880 wrote to memory of 524 880 svchost.com 87 PID 880 wrote to memory of 524 880 svchost.com 87 PID 880 wrote to memory of 524 880 svchost.com 87 PID 524 wrote to memory of 1348 524 F095ED~1.EXE 88 PID 524 wrote to memory of 1348 524 F095ED~1.EXE 88 PID 524 wrote to memory of 1348 524 F095ED~1.EXE 88 PID 1348 wrote to memory of 3052 1348 svchost.com 89 PID 1348 wrote to memory of 3052 1348 svchost.com 89 PID 1348 wrote to memory of 3052 1348 svchost.com 89 PID 3052 wrote to memory of 4000 3052 F095ED~1.EXE 119 PID 3052 wrote to memory of 4000 3052 F095ED~1.EXE 119 PID 3052 wrote to memory of 4000 3052 F095ED~1.EXE 119 PID 4000 wrote to memory of 760 4000 svchost.com 91 PID 4000 wrote to memory of 760 4000 svchost.com 91 PID 4000 wrote to memory of 760 4000 svchost.com 91 PID 760 wrote to memory of 2068 760 F095ED~1.EXE 92 PID 760 wrote to memory of 2068 760 F095ED~1.EXE 92 PID 760 wrote to memory of 2068 760 F095ED~1.EXE 92 PID 2068 wrote to memory of 3504 2068 svchost.com 93 PID 2068 wrote to memory of 3504 2068 svchost.com 93 PID 2068 wrote to memory of 3504 2068 svchost.com 93 PID 3504 wrote to memory of 2152 3504 F095ED~1.EXE 161 PID 3504 wrote to memory of 2152 3504 F095ED~1.EXE 161 PID 3504 wrote to memory of 2152 3504 F095ED~1.EXE 161 PID 2152 wrote to memory of 1612 2152 svchost.com 95 PID 2152 wrote to memory of 1612 2152 svchost.com 95 PID 2152 wrote to memory of 1612 2152 svchost.com 95 PID 1612 wrote to memory of 4980 1612 F095ED~1.EXE 96 PID 1612 wrote to memory of 4980 1612 F095ED~1.EXE 96 PID 1612 wrote to memory of 4980 1612 F095ED~1.EXE 96 PID 4980 wrote to memory of 2336 4980 svchost.com 97 PID 4980 wrote to memory of 2336 4980 svchost.com 97 PID 4980 wrote to memory of 2336 4980 svchost.com 97 PID 2336 wrote to memory of 1656 2336 F095ED~1.EXE 98 PID 2336 wrote to memory of 1656 2336 F095ED~1.EXE 98 PID 2336 wrote to memory of 1656 2336 F095ED~1.EXE 98 PID 1656 wrote to memory of 1888 1656 svchost.com 99 PID 1656 wrote to memory of 1888 1656 svchost.com 99 PID 1656 wrote to memory of 1888 1656 svchost.com 99 PID 1888 wrote to memory of 4148 1888 F095ED~1.EXE 214 PID 1888 wrote to memory of 4148 1888 F095ED~1.EXE 214 PID 1888 wrote to memory of 4148 1888 F095ED~1.EXE 214 PID 4148 wrote to memory of 2728 4148 svchost.com 218 PID 4148 wrote to memory of 2728 4148 svchost.com 218 PID 4148 wrote to memory of 2728 4148 svchost.com 218 PID 2728 wrote to memory of 3448 2728 F095ED~1.EXE 102 PID 2728 wrote to memory of 3448 2728 F095ED~1.EXE 102 PID 2728 wrote to memory of 3448 2728 F095ED~1.EXE 102 PID 3448 wrote to memory of 3588 3448 svchost.com 220 PID 3448 wrote to memory of 3588 3448 svchost.com 220 PID 3448 wrote to memory of 3588 3448 svchost.com 220 PID 3588 wrote to memory of 3512 3588 F095ED~1.EXE 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe"C:\Users\Admin\AppData\Local\Temp\f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\f095edd3423076f157d82bf869f709baa7bc272620d4245b3e035282726ee118N.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"23⤵
- Executes dropped EXE
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE24⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"25⤵
- Executes dropped EXE
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
PID:1128 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"27⤵
- Executes dropped EXE
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"29⤵
- Executes dropped EXE
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE30⤵
- Executes dropped EXE
- Modifies registry class
PID:4236 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"31⤵
- Executes dropped EXE
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE32⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE34⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"35⤵
- Executes dropped EXE
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
PID:5060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"37⤵
- Executes dropped EXE
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
PID:4000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"39⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE40⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:5080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"41⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE42⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"45⤵
- Executes dropped EXE
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1500 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"47⤵
- Executes dropped EXE
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4520 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"49⤵
- Executes dropped EXE
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE52⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"53⤵
- Executes dropped EXE
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"55⤵
- Executes dropped EXE
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE56⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"57⤵
- Executes dropped EXE
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE58⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"59⤵
- Executes dropped EXE
PID:660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE60⤵
- Checks computer location settings
- Executes dropped EXE
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"61⤵
- Executes dropped EXE
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE62⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE64⤵
- Executes dropped EXE
- Modifies registry class
PID:4968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE66⤵PID:2504
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"67⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE68⤵
- Checks computer location settings
PID:1468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE70⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"71⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE72⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3804 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"73⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE74⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"75⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE76⤵
- Modifies registry class
PID:2672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"77⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE78⤵
- Modifies registry class
PID:5020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"79⤵
- Drops file in Windows directory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE80⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"81⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE82⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"83⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE84⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"85⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE86⤵PID:3148
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"87⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE88⤵PID:4784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"89⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE90⤵
- Modifies registry class
PID:1096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"91⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE92⤵
- Checks computer location settings
- Modifies registry class
PID:3816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"93⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE94⤵PID:436
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"95⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE96⤵PID:4020
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"97⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE98⤵
- Checks computer location settings
- Modifies registry class
PID:4244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"99⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE100⤵
- Drops file in Windows directory
- Modifies registry class
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"101⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE102⤵
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"103⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE104⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"105⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE106⤵
- Checks computer location settings
- Modifies registry class
PID:4236 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"107⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE108⤵
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"109⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE110⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4648 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"111⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE112⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"113⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE114⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"115⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE116⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"117⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE118⤵
- Checks computer location settings
- Modifies registry class
PID:2152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"119⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE120⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE"121⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\F095ED~1.EXE122⤵
- Drops file in Windows directory
- Modifies registry class
PID:3148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-