Analysis
-
max time kernel
29s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 12:35
Behavioral task
behavioral1
Sample
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
Resource
win10v2004-20241007-en
General
-
Target
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
-
Size
186KB
-
MD5
39983e2afcac9ebce83b38a6d81e80b0
-
SHA1
bd526fbce7cfc56eaa25c767507bba81d6557d7c
-
SHA256
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364
-
SHA512
f5c1d9b893038839cd84991d5a0bd4a37e954618c658660b78b8751c4aa233c31796fe39c55e410349f5299566005093410053ec005cfbf33d94c935d697b748
-
SSDEEP
3072:sr85CkkbAYn2GgYlBYN2fHYTo+n2t8wDSRUTDr85C:k9xbAMpgY3gTa8DRUTf9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x00090000000195ab-2.dat family_neshta behavioral1/files/0x00070000000195ad-15.dat family_neshta behavioral1/files/0x0001000000010314-19.dat family_neshta behavioral1/files/0x0001000000010312-18.dat family_neshta behavioral1/files/0x0005000000010351-17.dat family_neshta behavioral1/files/0x0002000000010484-16.dat family_neshta behavioral1/memory/2888-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2984-29-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2860-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/472-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1092-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2224-57-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2804-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2988-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2212-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2308-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1192-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2396-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2036-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1364-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7dd-140.dat family_neshta behavioral1/files/0x000100000000f77b-143.dat family_neshta behavioral1/files/0x000100000000f7cf-147.dat family_neshta behavioral1/memory/680-154-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2452-153-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1968-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/852-173-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/848-199-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1556-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/616-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/776-219-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2292-229-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2324-228-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1492-240-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/888-239-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/932-251-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1916-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1736-264-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2944-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2972-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2872-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2780-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2740-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1384-306-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/580-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2588-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/568-325-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3048-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2552-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2308-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2448-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2044-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1320-358-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2120-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2264-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2300-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2532-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2392-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1064-388-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2888 svchost.com 2984 888E49~1.EXE 472 svchost.com 2860 888E49~1.EXE 2224 svchost.com 1092 888E49~1.EXE 2804 svchost.com 2408 888E49~1.EXE 2212 svchost.com 2988 888E49~1.EXE 2308 svchost.com 1192 888E49~1.EXE 2396 svchost.com 2036 888E49~1.EXE 1364 svchost.com 984 888E49~1.EXE 680 svchost.com 2452 888E49~1.EXE 1968 svchost.com 852 888E49~1.EXE 2544 svchost.com 2152 888E49~1.EXE 1556 svchost.com 848 888E49~1.EXE 616 svchost.com 776 888E49~1.EXE 2292 svchost.com 2324 888E49~1.EXE 888 svchost.com 1492 888E49~1.EXE 1916 svchost.com 932 888E49~1.EXE 1736 svchost.com 2944 888E49~1.EXE 2872 svchost.com 2972 888E49~1.EXE 2780 svchost.com 2740 888E49~1.EXE 2576 svchost.com 1384 888E49~1.EXE 2588 svchost.com 580 888E49~1.EXE 3048 svchost.com 568 888E49~1.EXE 2552 svchost.com 2308 888E49~1.EXE 2448 svchost.com 2044 888E49~1.EXE 1320 svchost.com 2120 888E49~1.EXE 2300 svchost.com 2264 888E49~1.EXE 2532 svchost.com 2392 888E49~1.EXE 1544 svchost.com 1064 888E49~1.EXE 1008 svchost.com 2248 888E49~1.EXE 1600 svchost.com 1820 888E49~1.EXE 952 svchost.com 1556 888E49~1.EXE 596 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2888 svchost.com 2888 svchost.com 472 svchost.com 472 svchost.com 2224 svchost.com 2224 svchost.com 2804 svchost.com 2804 svchost.com 2212 svchost.com 2212 svchost.com 2308 svchost.com 2308 svchost.com 2396 svchost.com 2396 svchost.com 1364 svchost.com 1364 svchost.com 680 svchost.com 680 svchost.com 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 1968 svchost.com 1968 svchost.com 2544 svchost.com 2544 svchost.com 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 1556 svchost.com 1556 svchost.com 616 svchost.com 616 svchost.com 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2292 svchost.com 2292 svchost.com 888 svchost.com 888 svchost.com 1916 svchost.com 1916 svchost.com 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 1736 svchost.com 1736 svchost.com 2872 svchost.com 2872 svchost.com 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2780 svchost.com 2780 svchost.com 2576 svchost.com 2576 svchost.com 2588 svchost.com 2588 svchost.com 3048 svchost.com 3048 svchost.com 2552 svchost.com 2552 svchost.com 2448 svchost.com 2448 svchost.com 1320 svchost.com 1320 svchost.com 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 2300 svchost.com 2300 svchost.com 2532 svchost.com 2532 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2616 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 30 PID 2496 wrote to memory of 2616 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 30 PID 2496 wrote to memory of 2616 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 30 PID 2496 wrote to memory of 2616 2496 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 30 PID 2616 wrote to memory of 2888 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 31 PID 2616 wrote to memory of 2888 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 31 PID 2616 wrote to memory of 2888 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 31 PID 2616 wrote to memory of 2888 2616 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 31 PID 2888 wrote to memory of 2984 2888 svchost.com 32 PID 2888 wrote to memory of 2984 2888 svchost.com 32 PID 2888 wrote to memory of 2984 2888 svchost.com 32 PID 2888 wrote to memory of 2984 2888 svchost.com 32 PID 2984 wrote to memory of 472 2984 888E49~1.EXE 33 PID 2984 wrote to memory of 472 2984 888E49~1.EXE 33 PID 2984 wrote to memory of 472 2984 888E49~1.EXE 33 PID 2984 wrote to memory of 472 2984 888E49~1.EXE 33 PID 472 wrote to memory of 2860 472 svchost.com 34 PID 472 wrote to memory of 2860 472 svchost.com 34 PID 472 wrote to memory of 2860 472 svchost.com 34 PID 472 wrote to memory of 2860 472 svchost.com 34 PID 2860 wrote to memory of 2224 2860 888E49~1.EXE 35 PID 2860 wrote to memory of 2224 2860 888E49~1.EXE 35 PID 2860 wrote to memory of 2224 2860 888E49~1.EXE 35 PID 2860 wrote to memory of 2224 2860 888E49~1.EXE 35 PID 2224 wrote to memory of 1092 2224 svchost.com 36 PID 2224 wrote to memory of 1092 2224 svchost.com 36 PID 2224 wrote to memory of 1092 2224 svchost.com 36 PID 2224 wrote to memory of 1092 2224 svchost.com 36 PID 1092 wrote to memory of 2804 1092 888E49~1.EXE 37 PID 1092 wrote to memory of 2804 1092 888E49~1.EXE 37 PID 1092 wrote to memory of 2804 1092 888E49~1.EXE 37 PID 1092 wrote to memory of 2804 1092 888E49~1.EXE 37 PID 2804 wrote to memory of 2408 2804 svchost.com 38 PID 2804 wrote to memory of 2408 2804 svchost.com 38 PID 2804 wrote to memory of 2408 2804 svchost.com 38 PID 2804 wrote to memory of 2408 2804 svchost.com 38 PID 2408 wrote to memory of 2212 2408 888E49~1.EXE 39 PID 2408 wrote to memory of 2212 2408 888E49~1.EXE 39 PID 2408 wrote to memory of 2212 2408 888E49~1.EXE 39 PID 2408 wrote to memory of 2212 2408 888E49~1.EXE 39 PID 2212 wrote to memory of 2988 2212 svchost.com 40 PID 2212 wrote to memory of 2988 2212 svchost.com 40 PID 2212 wrote to memory of 2988 2212 svchost.com 40 PID 2212 wrote to memory of 2988 2212 svchost.com 40 PID 2988 wrote to memory of 2308 2988 888E49~1.EXE 76 PID 2988 wrote to memory of 2308 2988 888E49~1.EXE 76 PID 2988 wrote to memory of 2308 2988 888E49~1.EXE 76 PID 2988 wrote to memory of 2308 2988 888E49~1.EXE 76 PID 2308 wrote to memory of 1192 2308 svchost.com 120 PID 2308 wrote to memory of 1192 2308 svchost.com 120 PID 2308 wrote to memory of 1192 2308 svchost.com 120 PID 2308 wrote to memory of 1192 2308 svchost.com 120 PID 1192 wrote to memory of 2396 1192 888E49~1.EXE 43 PID 1192 wrote to memory of 2396 1192 888E49~1.EXE 43 PID 1192 wrote to memory of 2396 1192 888E49~1.EXE 43 PID 1192 wrote to memory of 2396 1192 888E49~1.EXE 43 PID 2396 wrote to memory of 2036 2396 svchost.com 44 PID 2396 wrote to memory of 2036 2396 svchost.com 44 PID 2396 wrote to memory of 2036 2396 svchost.com 44 PID 2396 wrote to memory of 2036 2396 svchost.com 44 PID 2036 wrote to memory of 1364 2036 888E49~1.EXE 45 PID 2036 wrote to memory of 1364 2036 888E49~1.EXE 45 PID 2036 wrote to memory of 1364 2036 888E49~1.EXE 45 PID 2036 wrote to memory of 1364 2036 888E49~1.EXE 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"C:\Users\Admin\AppData\Local\Temp\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE14⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE20⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE24⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE26⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE32⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE34⤵
- Executes dropped EXE
PID:932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE44⤵
- Executes dropped EXE
PID:580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE46⤵
- Executes dropped EXE
PID:568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE50⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE52⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE54⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE56⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"57⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE58⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"61⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE66⤵PID:1388
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"67⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE68⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"69⤵
- Drops file in Windows directory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE70⤵PID:2100
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"71⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE72⤵PID:1588
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"73⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE74⤵PID:1620
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"75⤵
- Drops file in Windows directory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE76⤵PID:2868
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"77⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE78⤵PID:2748
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"79⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE80⤵PID:2912
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"81⤵
- Drops file in Windows directory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE82⤵PID:2224
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"83⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE84⤵
- Drops file in Windows directory
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"85⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE86⤵PID:1500
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE88⤵PID:2164
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"89⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE90⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"91⤵
- Drops file in Windows directory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE92⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"93⤵
- Drops file in Windows directory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE94⤵PID:564
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"95⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE96⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"97⤵
- Drops file in Windows directory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE98⤵PID:2136
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"99⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE100⤵PID:2416
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"101⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE102⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"103⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE104⤵PID:2460
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"105⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE106⤵
- Drops file in Windows directory
PID:2248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"107⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE108⤵PID:812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"109⤵
- Drops file in Windows directory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE110⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"111⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE112⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"113⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE114⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"115⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE116⤵PID:1176
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"117⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE118⤵PID:1588
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"119⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE120⤵PID:1916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"121⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE122⤵
- Drops file in Windows directory
PID:2852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-