Analysis
-
max time kernel
45s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 12:35
Behavioral task
behavioral1
Sample
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
Resource
win10v2004-20241007-en
General
-
Target
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe
-
Size
186KB
-
MD5
39983e2afcac9ebce83b38a6d81e80b0
-
SHA1
bd526fbce7cfc56eaa25c767507bba81d6557d7c
-
SHA256
888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364
-
SHA512
f5c1d9b893038839cd84991d5a0bd4a37e954618c658660b78b8751c4aa233c31796fe39c55e410349f5299566005093410053ec005cfbf33d94c935d697b748
-
SSDEEP
3072:sr85CkkbAYn2GgYlBYN2fHYTo+n2t8wDSRUTDr85C:k9xbAMpgY3gTa8DRUTf9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0008000000023c99-4.dat family_neshta behavioral2/files/0x0007000000023c9a-11.dat family_neshta behavioral2/memory/3444-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3600-20-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1968-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3764-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3860-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1628-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2732-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4972-56-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5024-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2644-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2912-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/552-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1384-88-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4724-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0004000000020348-100.dat family_neshta behavioral2/files/0x000600000002021b-105.dat family_neshta behavioral2/files/0x000100000002022a-111.dat family_neshta behavioral2/files/0x0006000000020232-124.dat family_neshta behavioral2/files/0x000400000002030e-123.dat family_neshta behavioral2/files/0x0001000000020294-122.dat family_neshta behavioral2/files/0x000400000002034d-121.dat family_neshta behavioral2/files/0x00010000000202ac-120.dat family_neshta behavioral2/files/0x000400000002033b-119.dat family_neshta behavioral2/memory/220-125-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1496-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2400-137-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1568-141-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1992-154-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x00010000000214df-171.dat family_neshta behavioral2/files/0x00010000000214e1-175.dat family_neshta behavioral2/memory/4776-169-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000022f42-182.dat family_neshta behavioral2/files/0x0001000000022f7f-181.dat family_neshta behavioral2/files/0x0001000000022f7e-188.dat family_neshta behavioral2/files/0x0001000000016800-197.dat family_neshta behavioral2/files/0x000100000001dbca-205.dat family_neshta behavioral2/memory/2116-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000016912-212.dat family_neshta behavioral2/files/0x000100000001dbd5-208.dat family_neshta behavioral2/files/0x0001000000016914-215.dat family_neshta behavioral2/memory/740-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4536-237-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4956-249-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/208-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4452-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2072-269-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3444-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2152-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4556-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3640-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/512-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2168-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4976-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1260-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/528-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3844-318-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4880-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2644-326-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2100-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/396-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2680-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 888E49~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 3224 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 3444 svchost.com 3600 888E49~1.EXE 1968 svchost.com 3764 888E49~1.EXE 3860 svchost.com 1628 888E49~1.EXE 2732 svchost.com 4972 888E49~1.EXE 5024 svchost.com 2644 888E49~1.EXE 2912 svchost.com 552 888E49~1.EXE 1384 svchost.com 4724 888E49~1.EXE 220 svchost.com 1496 888E49~1.EXE 2400 svchost.com 1568 888E49~1.EXE 1992 svchost.com 4776 888E49~1.EXE 2116 svchost.com 740 888E49~1.EXE 4536 svchost.com 4956 888E49~1.EXE 2156 svchost.com 208 888E49~1.EXE 4452 svchost.com 2072 888E49~1.EXE 3444 svchost.com 2152 888E49~1.EXE 4556 svchost.com 3640 888E49~1.EXE 512 svchost.com 2168 888E49~1.EXE 1260 svchost.com 4976 888E49~1.EXE 528 svchost.com 3844 888E49~1.EXE 4880 svchost.com 2644 888E49~1.EXE 2100 svchost.com 396 888E49~1.EXE 2680 svchost.com 4916 888E49~1.EXE 1620 svchost.com 3832 888E49~1.EXE 2068 svchost.com 4428 888E49~1.EXE 2400 svchost.com 2604 888E49~1.EXE 3432 svchost.com 1992 888E49~1.EXE 4832 svchost.com 3972 888E49~1.EXE 2952 svchost.com 1988 888E49~1.EXE 912 svchost.com 2984 888E49~1.EXE 3576 svchost.com 1600 888E49~1.EXE 1036 svchost.com 1056 888E49~1.EXE 2136 svchost.com -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 888E49~1.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 888E49~1.EXE File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 888E49~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 888E49~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 888E49~1.EXE File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 888E49~1.EXE File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\svchost.com 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 888E49~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888E49~1.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 888E49~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 3224 1184 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 82 PID 1184 wrote to memory of 3224 1184 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 82 PID 1184 wrote to memory of 3224 1184 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 82 PID 3224 wrote to memory of 3444 3224 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 83 PID 3224 wrote to memory of 3444 3224 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 83 PID 3224 wrote to memory of 3444 3224 888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe 83 PID 3444 wrote to memory of 3600 3444 svchost.com 84 PID 3444 wrote to memory of 3600 3444 svchost.com 84 PID 3444 wrote to memory of 3600 3444 svchost.com 84 PID 3600 wrote to memory of 1968 3600 888E49~1.EXE 85 PID 3600 wrote to memory of 1968 3600 888E49~1.EXE 85 PID 3600 wrote to memory of 1968 3600 888E49~1.EXE 85 PID 1968 wrote to memory of 3764 1968 svchost.com 86 PID 1968 wrote to memory of 3764 1968 svchost.com 86 PID 1968 wrote to memory of 3764 1968 svchost.com 86 PID 3764 wrote to memory of 3860 3764 888E49~1.EXE 87 PID 3764 wrote to memory of 3860 3764 888E49~1.EXE 87 PID 3764 wrote to memory of 3860 3764 888E49~1.EXE 87 PID 3860 wrote to memory of 1628 3860 svchost.com 88 PID 3860 wrote to memory of 1628 3860 svchost.com 88 PID 3860 wrote to memory of 1628 3860 svchost.com 88 PID 1628 wrote to memory of 2732 1628 888E49~1.EXE 89 PID 1628 wrote to memory of 2732 1628 888E49~1.EXE 89 PID 1628 wrote to memory of 2732 1628 888E49~1.EXE 89 PID 2732 wrote to memory of 4972 2732 svchost.com 90 PID 2732 wrote to memory of 4972 2732 svchost.com 90 PID 2732 wrote to memory of 4972 2732 svchost.com 90 PID 4972 wrote to memory of 5024 4972 888E49~1.EXE 160 PID 4972 wrote to memory of 5024 4972 888E49~1.EXE 160 PID 4972 wrote to memory of 5024 4972 888E49~1.EXE 160 PID 5024 wrote to memory of 2644 5024 svchost.com 122 PID 5024 wrote to memory of 2644 5024 svchost.com 122 PID 5024 wrote to memory of 2644 5024 svchost.com 122 PID 2644 wrote to memory of 2912 2644 888E49~1.EXE 162 PID 2644 wrote to memory of 2912 2644 888E49~1.EXE 162 PID 2644 wrote to memory of 2912 2644 888E49~1.EXE 162 PID 2912 wrote to memory of 552 2912 svchost.com 94 PID 2912 wrote to memory of 552 2912 svchost.com 94 PID 2912 wrote to memory of 552 2912 svchost.com 94 PID 552 wrote to memory of 1384 552 888E49~1.EXE 95 PID 552 wrote to memory of 1384 552 888E49~1.EXE 95 PID 552 wrote to memory of 1384 552 888E49~1.EXE 95 PID 1384 wrote to memory of 4724 1384 svchost.com 96 PID 1384 wrote to memory of 4724 1384 svchost.com 96 PID 1384 wrote to memory of 4724 1384 svchost.com 96 PID 4724 wrote to memory of 220 4724 888E49~1.EXE 97 PID 4724 wrote to memory of 220 4724 888E49~1.EXE 97 PID 4724 wrote to memory of 220 4724 888E49~1.EXE 97 PID 220 wrote to memory of 1496 220 svchost.com 98 PID 220 wrote to memory of 1496 220 svchost.com 98 PID 220 wrote to memory of 1496 220 svchost.com 98 PID 1496 wrote to memory of 2400 1496 888E49~1.EXE 131 PID 1496 wrote to memory of 2400 1496 888E49~1.EXE 131 PID 1496 wrote to memory of 2400 1496 888E49~1.EXE 131 PID 2400 wrote to memory of 1568 2400 svchost.com 100 PID 2400 wrote to memory of 1568 2400 svchost.com 100 PID 2400 wrote to memory of 1568 2400 svchost.com 100 PID 1568 wrote to memory of 1992 1568 888E49~1.EXE 134 PID 1568 wrote to memory of 1992 1568 888E49~1.EXE 134 PID 1568 wrote to memory of 1992 1568 888E49~1.EXE 134 PID 1992 wrote to memory of 4776 1992 svchost.com 102 PID 1992 wrote to memory of 4776 1992 svchost.com 102 PID 1992 wrote to memory of 4776 1992 svchost.com 102 PID 4776 wrote to memory of 2116 4776 888E49~1.EXE 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"C:\Users\Admin\AppData\Local\Temp\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\888e49a1cc87128b2d58cd7b46ee343cfe603d6bede334fa12d466fbef866364N.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE22⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"23⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
PID:740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"25⤵
- Executes dropped EXE
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE26⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"27⤵
- Executes dropped EXE
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:208 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE30⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"31⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE32⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"33⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE34⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE36⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"37⤵
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE38⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"39⤵
- Executes dropped EXE
PID:528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE40⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"43⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
PID:4916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"47⤵
- Executes dropped EXE
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE48⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"49⤵
- Executes dropped EXE
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"51⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"53⤵
- Executes dropped EXE
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE54⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"55⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"57⤵
- Executes dropped EXE
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE58⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"59⤵
- Executes dropped EXE
PID:912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE60⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"61⤵
- Executes dropped EXE
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE64⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE66⤵
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"67⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE68⤵PID:3700
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"69⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE70⤵PID:2256
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"71⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE72⤵
- Checks computer location settings
- Modifies registry class
PID:4272 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"73⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE74⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"75⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE76⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"77⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE78⤵
- Drops file in Windows directory
- Modifies registry class
PID:2540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"79⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE80⤵PID:5024
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"81⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE82⤵
- Checks computer location settings
PID:2912 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"83⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE84⤵
- Checks computer location settings
PID:1032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"85⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE86⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE88⤵PID:2120
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"89⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE90⤵
- Checks computer location settings
PID:2260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"91⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE92⤵
- Checks computer location settings
PID:1380 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"93⤵
- Drops file in Windows directory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE94⤵PID:2820
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"95⤵
- Drops file in Windows directory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE96⤵
- Checks computer location settings
- Modifies registry class
PID:3972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"97⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE98⤵PID:2024
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"99⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE100⤵PID:2408
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"101⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE102⤵PID:1904
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"103⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE104⤵PID:1248
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"105⤵
- Drops file in Windows directory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE106⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"107⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE108⤵PID:208
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"109⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE110⤵
- Drops file in Windows directory
PID:2956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"111⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE112⤵
- Drops file in Windows directory
PID:540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"113⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE114⤵
- Modifies registry class
PID:4500 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"115⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE116⤵
- Modifies registry class
PID:2608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"117⤵
- Drops file in Windows directory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE118⤵
- Checks computer location settings
PID:3980 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"119⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE120⤵
- Modifies registry class
PID:1844 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE"121⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\888E49~1.EXE122⤵
- Checks computer location settings
PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-