Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 23:50
Behavioral task
behavioral1
Sample
765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe
-
Size
1.1MB
-
MD5
62aaba7a7058dbae72b4952ac3f34cff
-
SHA1
3896accd842339d5c07b96b1a37d1ae67ac93985
-
SHA256
765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd
-
SHA512
4959e54840698622459af79420d9edc7d5c81ff327a0ae51426272a2ab2522344bb40c89929fa3c33a3c8c61d017b27ccf0bcda682e6852be03cedcd3bed5711
-
SSDEEP
12288:vD6KFvbwBwnO6X4RALpe/ZZHfGKlOc8rS5PA6nBR0umt8v7TBBR3OkEYM:vD62b6M5X4Se/ZZHuKh8rStA6B3La
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000014b47-2.dat family_neshta behavioral1/files/0x0001000000010314-20.dat family_neshta behavioral1/files/0x0001000000010312-19.dat family_neshta behavioral1/files/0x0009000000010663-18.dat family_neshta behavioral1/files/0x0029000000010667-17.dat family_neshta behavioral1/files/0x0008000000014bb1-16.dat family_neshta behavioral1/memory/2612-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2092-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2456-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2628-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1612-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/600-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1976-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2744-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2924-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2976-99-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1296-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2800-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7e5-134.dat family_neshta behavioral1/files/0x000100000000f7c9-133.dat family_neshta behavioral1/files/0x000100000000f775-132.dat family_neshta behavioral1/files/0x000100000000f7d7-126.dat family_neshta behavioral1/memory/2196-140-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2332-139-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2076-163-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2420-161-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/844-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1136-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2172-195-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2164-194-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1204-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1184-210-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2432-222-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2248-223-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1832-245-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1564-246-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1300-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1652-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1452-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2600-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2624-292-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1916-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2832-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2516-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2028-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/996-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3012-323-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2928-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/884-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1628-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2908-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1548-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2216-347-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2428-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/708-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2124-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2744-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2072-370-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2156-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2196-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2644-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2612 svchost.com 2092 765AAE~1.EXE 2648 svchost.com 2504 765AAE~1.EXE 2456 svchost.com 2628 765AAE~1.EXE 1612 svchost.com 600 765AAE~1.EXE 1296 svchost.com 2800 765AAE~1.EXE 2924 svchost.com 2976 765AAE~1.EXE 2744 svchost.com 1976 765AAE~1.EXE 2196 svchost.com 2332 765AAE~1.EXE 2076 svchost.com 2420 765AAE~1.EXE 844 svchost.com 1136 765AAE~1.EXE 2172 svchost.com 2164 765AAE~1.EXE 1184 svchost.com 1204 765AAE~1.EXE 2248 svchost.com 2432 765AAE~1.EXE 1564 svchost.com 1832 765AAE~1.EXE 1300 svchost.com 1652 765AAE~1.EXE 2600 svchost.com 1452 765AAE~1.EXE 2576 svchost.com 2624 765AAE~1.EXE 2832 svchost.com 1916 765AAE~1.EXE 2516 svchost.com 2028 765AAE~1.EXE 3012 svchost.com 996 765AAE~1.EXE 884 svchost.com 2928 765AAE~1.EXE 2908 svchost.com 1628 765AAE~1.EXE 2216 svchost.com 1548 765AAE~1.EXE 708 svchost.com 2428 765AAE~1.EXE 2744 svchost.com 2124 765AAE~1.EXE 2156 svchost.com 2072 765AAE~1.EXE 2196 svchost.com 2644 765AAE~1.EXE 2856 svchost.com 1608 765AAE~1.EXE 2292 svchost.com 2120 765AAE~1.EXE 1248 svchost.com 2884 765AAE~1.EXE 596 svchost.com 2084 765AAE~1.EXE 2308 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2612 svchost.com 2612 svchost.com 2648 svchost.com 2648 svchost.com 2456 svchost.com 2456 svchost.com 1612 svchost.com 1612 svchost.com 1296 svchost.com 1296 svchost.com 2924 svchost.com 2924 svchost.com 2744 svchost.com 2744 svchost.com 2196 svchost.com 2196 svchost.com 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2076 svchost.com 2076 svchost.com 844 svchost.com 844 svchost.com 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2172 svchost.com 2172 svchost.com 1184 svchost.com 1184 svchost.com 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 2248 svchost.com 2248 svchost.com 1564 svchost.com 1564 svchost.com 1300 svchost.com 1300 svchost.com 2600 svchost.com 2600 svchost.com 2576 svchost.com 2576 svchost.com 2832 svchost.com 2832 svchost.com 2516 svchost.com 2516 svchost.com 3012 svchost.com 3012 svchost.com 884 svchost.com 884 svchost.com 2908 svchost.com 2908 svchost.com 2216 svchost.com 2216 svchost.com 708 svchost.com 708 svchost.com 2744 svchost.com 2744 svchost.com 2156 svchost.com 2156 svchost.com 2196 svchost.com 2196 svchost.com 2856 svchost.com 2856 svchost.com 2292 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\svchost.com 765AAE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 765AAE~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2552 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 28 PID 2316 wrote to memory of 2552 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 28 PID 2316 wrote to memory of 2552 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 28 PID 2316 wrote to memory of 2552 2316 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 28 PID 2552 wrote to memory of 2612 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 29 PID 2552 wrote to memory of 2612 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 29 PID 2552 wrote to memory of 2612 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 29 PID 2552 wrote to memory of 2612 2552 765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe 29 PID 2612 wrote to memory of 2092 2612 svchost.com 30 PID 2612 wrote to memory of 2092 2612 svchost.com 30 PID 2612 wrote to memory of 2092 2612 svchost.com 30 PID 2612 wrote to memory of 2092 2612 svchost.com 30 PID 2092 wrote to memory of 2648 2092 765AAE~1.EXE 31 PID 2092 wrote to memory of 2648 2092 765AAE~1.EXE 31 PID 2092 wrote to memory of 2648 2092 765AAE~1.EXE 31 PID 2092 wrote to memory of 2648 2092 765AAE~1.EXE 31 PID 2648 wrote to memory of 2504 2648 svchost.com 32 PID 2648 wrote to memory of 2504 2648 svchost.com 32 PID 2648 wrote to memory of 2504 2648 svchost.com 32 PID 2648 wrote to memory of 2504 2648 svchost.com 32 PID 2504 wrote to memory of 2456 2504 765AAE~1.EXE 33 PID 2504 wrote to memory of 2456 2504 765AAE~1.EXE 33 PID 2504 wrote to memory of 2456 2504 765AAE~1.EXE 33 PID 2504 wrote to memory of 2456 2504 765AAE~1.EXE 33 PID 2456 wrote to memory of 2628 2456 svchost.com 34 PID 2456 wrote to memory of 2628 2456 svchost.com 34 PID 2456 wrote to memory of 2628 2456 svchost.com 34 PID 2456 wrote to memory of 2628 2456 svchost.com 34 PID 2628 wrote to memory of 1612 2628 765AAE~1.EXE 35 PID 2628 wrote to memory of 1612 2628 765AAE~1.EXE 35 PID 2628 wrote to memory of 1612 2628 765AAE~1.EXE 35 PID 2628 wrote to memory of 1612 2628 765AAE~1.EXE 35 PID 1612 wrote to memory of 600 1612 svchost.com 36 PID 1612 wrote to memory of 600 1612 svchost.com 36 PID 1612 wrote to memory of 600 1612 svchost.com 36 PID 1612 wrote to memory of 600 1612 svchost.com 36 PID 600 wrote to memory of 1296 600 765AAE~1.EXE 37 PID 600 wrote to memory of 1296 600 765AAE~1.EXE 37 PID 600 wrote to memory of 1296 600 765AAE~1.EXE 37 PID 600 wrote to memory of 1296 600 765AAE~1.EXE 37 PID 1296 wrote to memory of 2800 1296 svchost.com 124 PID 1296 wrote to memory of 2800 1296 svchost.com 124 PID 1296 wrote to memory of 2800 1296 svchost.com 124 PID 1296 wrote to memory of 2800 1296 svchost.com 124 PID 2800 wrote to memory of 2924 2800 765AAE~1.EXE 122 PID 2800 wrote to memory of 2924 2800 765AAE~1.EXE 122 PID 2800 wrote to memory of 2924 2800 765AAE~1.EXE 122 PID 2800 wrote to memory of 2924 2800 765AAE~1.EXE 122 PID 2924 wrote to memory of 2976 2924 svchost.com 40 PID 2924 wrote to memory of 2976 2924 svchost.com 40 PID 2924 wrote to memory of 2976 2924 svchost.com 40 PID 2924 wrote to memory of 2976 2924 svchost.com 40 PID 2976 wrote to memory of 2744 2976 765AAE~1.EXE 77 PID 2976 wrote to memory of 2744 2976 765AAE~1.EXE 77 PID 2976 wrote to memory of 2744 2976 765AAE~1.EXE 77 PID 2976 wrote to memory of 2744 2976 765AAE~1.EXE 77 PID 2744 wrote to memory of 1976 2744 svchost.com 42 PID 2744 wrote to memory of 1976 2744 svchost.com 42 PID 2744 wrote to memory of 1976 2744 svchost.com 42 PID 2744 wrote to memory of 1976 2744 svchost.com 42 PID 1976 wrote to memory of 2196 1976 765AAE~1.EXE 81 PID 1976 wrote to memory of 2196 1976 765AAE~1.EXE 81 PID 1976 wrote to memory of 2196 1976 765AAE~1.EXE 81 PID 1976 wrote to memory of 2196 1976 765AAE~1.EXE 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe"C:\Users\Admin\AppData\Local\Temp\765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\765aaec5d55ec5d3654d2ad7c6acc12f33348c2ff894978efc050a8b919c09fd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE18⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE20⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE22⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE24⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE30⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE32⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE34⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE36⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE38⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE40⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE42⤵
- Executes dropped EXE
PID:996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE44⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE52⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE54⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE58⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE60⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"61⤵
- Executes dropped EXE
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE62⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"63⤵
- Executes dropped EXE
PID:596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE64⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"65⤵
- Executes dropped EXE
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE66⤵PID:2900
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"67⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE68⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"69⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE70⤵PID:2280
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"71⤵
- Drops file in Windows directory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE72⤵
- Drops file in Windows directory
PID:788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"73⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE74⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"75⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE76⤵PID:2268
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"77⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE78⤵PID:2208
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"79⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE80⤵PID:2148
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"81⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE82⤵PID:1988
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"83⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE84⤵
- Drops file in Windows directory
PID:2092 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"85⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE86⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"87⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE88⤵PID:2652
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"89⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE90⤵PID:2460
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"91⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE92⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"93⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE94⤵PID:2804
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"95⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE96⤵
- Drops file in Windows directory
PID:2924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"97⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE98⤵PID:2800
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"99⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE100⤵PID:1648
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"101⤵
- Drops file in Windows directory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE102⤵PID:1864
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"103⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE104⤵PID:2124
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"105⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE106⤵PID:2128
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"107⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE108⤵
- Drops file in Windows directory
PID:2100 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"109⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE110⤵PID:288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"111⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE112⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"113⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE114⤵PID:1172
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"115⤵
- Drops file in Windows directory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE116⤵PID:2084
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"117⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE118⤵PID:1288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"119⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE120⤵PID:976
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\765AAE~1.EXE"121⤵PID:2404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-