Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-01-2025 16:37
Behavioral task
behavioral1
Sample
d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe
-
Size
165KB
-
MD5
4ce99fea62c2e4d9cff437f1665ddb50
-
SHA1
cf2a5899268b224b784531ed3b72c8aa60099d17
-
SHA256
d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775f
-
SHA512
bb35f8eeb32315465fa3cd68a05c3d504157fc50f1e5e47727afa0d6d230dd6c33825398a3791da58af592aaea00427e7cce967faf9b30b37ec5daa5fe89d9b5
-
SSDEEP
3072:sr85CLkJOSzsQ8cNGSlerENTihhn2sUgUe5/Cr85C:k9YpzsQ8cNGSEr6TaAjJ9
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016c7c-9.dat family_neshta behavioral1/files/0x0007000000016ca5-15.dat family_neshta behavioral1/files/0x0001000000010314-19.dat family_neshta behavioral1/files/0x0001000000010312-18.dat family_neshta behavioral1/files/0x001700000000f7f7-17.dat family_neshta behavioral1/files/0x001400000001033a-16.dat family_neshta behavioral1/memory/2248-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2892-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2740-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2644-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1280-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/820-156-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1924-205-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/800-221-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2076-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3060-285-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2660-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/352-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2184-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1680-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1944-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/836-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2792-384-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1492-392-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-415-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1616-416-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2672-408-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2096-407-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2464-399-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/916-400-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/908-391-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/968-383-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2108-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2340-375-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/780-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3000-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1256-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1812-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/692-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2732-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1260-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1668-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1620-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2628-286-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-278-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2176-277-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2704-261-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1848-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/880-233-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2396-232-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1348-204-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1516-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1400-190-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1676-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1240-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2524-155-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-138-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2864-137-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7e9-130.dat family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2248 svchost.com 2892 D05D4A~1.EXE 2740 svchost.com 2880 D05D4A~1.EXE 2844 svchost.com 2656 D05D4A~1.EXE 2644 svchost.com 2256 D05D4A~1.EXE 1844 svchost.com 1052 D05D4A~1.EXE 1572 svchost.com 1796 D05D4A~1.EXE 1280 svchost.com 2024 D05D4A~1.EXE 2864 svchost.com 2016 D05D4A~1.EXE 2524 svchost.com 820 D05D4A~1.EXE 1676 svchost.com 1240 D05D4A~1.EXE 1516 svchost.com 1400 D05D4A~1.EXE 1924 svchost.com 1348 D05D4A~1.EXE 800 svchost.com 2076 D05D4A~1.EXE 880 svchost.com 2396 D05D4A~1.EXE 2704 svchost.com 1848 D05D4A~1.EXE 2176 svchost.com 2880 D05D4A~1.EXE 2628 svchost.com 3060 D05D4A~1.EXE 2660 svchost.com 1620 D05D4A~1.EXE 2256 svchost.com 1668 D05D4A~1.EXE 2732 svchost.com 1260 D05D4A~1.EXE 352 svchost.com 692 D05D4A~1.EXE 1256 svchost.com 1812 D05D4A~1.EXE 2184 svchost.com 2016 D05D4A~1.EXE 1284 svchost.com 3000 D05D4A~1.EXE 1680 svchost.com 780 D05D4A~1.EXE 1944 svchost.com 836 D05D4A~1.EXE 2108 svchost.com 2340 D05D4A~1.EXE 968 svchost.com 2792 D05D4A~1.EXE 1492 svchost.com 908 D05D4A~1.EXE 916 svchost.com 2464 D05D4A~1.EXE 2672 svchost.com 2096 D05D4A~1.EXE 1616 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2248 svchost.com 2248 svchost.com 2740 svchost.com 2740 svchost.com 2844 svchost.com 2844 svchost.com 2644 svchost.com 2644 svchost.com 1844 svchost.com 1844 svchost.com 1572 svchost.com 1572 svchost.com 1280 svchost.com 1280 svchost.com 2864 svchost.com 2864 svchost.com 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2524 svchost.com 2524 svchost.com 1676 svchost.com 1676 svchost.com 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 1516 svchost.com 1516 svchost.com 1924 svchost.com 1924 svchost.com 800 svchost.com 800 svchost.com 880 svchost.com 880 svchost.com 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2704 svchost.com 2704 svchost.com 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2176 svchost.com 2176 svchost.com 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 2628 svchost.com 2628 svchost.com 2660 svchost.com 2660 svchost.com 2256 svchost.com 2256 svchost.com 2732 svchost.com 2732 svchost.com 352 svchost.com 352 svchost.com 1256 svchost.com 1256 svchost.com 2184 svchost.com 2184 svchost.com 1284 svchost.com 1284 svchost.com 1680 svchost.com 1680 svchost.com 1944 svchost.com 1944 svchost.com 2108 svchost.com 2108 svchost.com 968 svchost.com 968 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\directx.sys D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE File opened for modification C:\Windows\svchost.com D05D4A~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D05D4A~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2412 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 30 PID 1272 wrote to memory of 2412 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 30 PID 1272 wrote to memory of 2412 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 30 PID 1272 wrote to memory of 2412 1272 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 30 PID 2412 wrote to memory of 2248 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 31 PID 2412 wrote to memory of 2248 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 31 PID 2412 wrote to memory of 2248 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 31 PID 2412 wrote to memory of 2248 2412 d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe 31 PID 2248 wrote to memory of 2892 2248 svchost.com 32 PID 2248 wrote to memory of 2892 2248 svchost.com 32 PID 2248 wrote to memory of 2892 2248 svchost.com 32 PID 2248 wrote to memory of 2892 2248 svchost.com 32 PID 2892 wrote to memory of 2740 2892 D05D4A~1.EXE 33 PID 2892 wrote to memory of 2740 2892 D05D4A~1.EXE 33 PID 2892 wrote to memory of 2740 2892 D05D4A~1.EXE 33 PID 2892 wrote to memory of 2740 2892 D05D4A~1.EXE 33 PID 2740 wrote to memory of 2880 2740 svchost.com 104 PID 2740 wrote to memory of 2880 2740 svchost.com 104 PID 2740 wrote to memory of 2880 2740 svchost.com 104 PID 2740 wrote to memory of 2880 2740 svchost.com 104 PID 2880 wrote to memory of 2844 2880 D05D4A~1.EXE 35 PID 2880 wrote to memory of 2844 2880 D05D4A~1.EXE 35 PID 2880 wrote to memory of 2844 2880 D05D4A~1.EXE 35 PID 2880 wrote to memory of 2844 2880 D05D4A~1.EXE 35 PID 2844 wrote to memory of 2656 2844 svchost.com 36 PID 2844 wrote to memory of 2656 2844 svchost.com 36 PID 2844 wrote to memory of 2656 2844 svchost.com 36 PID 2844 wrote to memory of 2656 2844 svchost.com 36 PID 2656 wrote to memory of 2644 2656 D05D4A~1.EXE 37 PID 2656 wrote to memory of 2644 2656 D05D4A~1.EXE 37 PID 2656 wrote to memory of 2644 2656 D05D4A~1.EXE 37 PID 2656 wrote to memory of 2644 2656 D05D4A~1.EXE 37 PID 2644 wrote to memory of 2256 2644 svchost.com 38 PID 2644 wrote to memory of 2256 2644 svchost.com 38 PID 2644 wrote to memory of 2256 2644 svchost.com 38 PID 2644 wrote to memory of 2256 2644 svchost.com 38 PID 2256 wrote to memory of 1844 2256 D05D4A~1.EXE 39 PID 2256 wrote to memory of 1844 2256 D05D4A~1.EXE 39 PID 2256 wrote to memory of 1844 2256 D05D4A~1.EXE 39 PID 2256 wrote to memory of 1844 2256 D05D4A~1.EXE 39 PID 1844 wrote to memory of 1052 1844 svchost.com 40 PID 1844 wrote to memory of 1052 1844 svchost.com 40 PID 1844 wrote to memory of 1052 1844 svchost.com 40 PID 1844 wrote to memory of 1052 1844 svchost.com 40 PID 1052 wrote to memory of 1572 1052 D05D4A~1.EXE 41 PID 1052 wrote to memory of 1572 1052 D05D4A~1.EXE 41 PID 1052 wrote to memory of 1572 1052 D05D4A~1.EXE 41 PID 1052 wrote to memory of 1572 1052 D05D4A~1.EXE 41 PID 1572 wrote to memory of 1796 1572 svchost.com 42 PID 1572 wrote to memory of 1796 1572 svchost.com 42 PID 1572 wrote to memory of 1796 1572 svchost.com 42 PID 1572 wrote to memory of 1796 1572 svchost.com 42 PID 1796 wrote to memory of 1280 1796 D05D4A~1.EXE 200 PID 1796 wrote to memory of 1280 1796 D05D4A~1.EXE 200 PID 1796 wrote to memory of 1280 1796 D05D4A~1.EXE 200 PID 1796 wrote to memory of 1280 1796 D05D4A~1.EXE 200 PID 1280 wrote to memory of 2024 1280 svchost.com 44 PID 1280 wrote to memory of 2024 1280 svchost.com 44 PID 1280 wrote to memory of 2024 1280 svchost.com 44 PID 1280 wrote to memory of 2024 1280 svchost.com 44 PID 2024 wrote to memory of 2864 2024 D05D4A~1.EXE 45 PID 2024 wrote to memory of 2864 2024 D05D4A~1.EXE 45 PID 2024 wrote to memory of 2864 2024 D05D4A~1.EXE 45 PID 2024 wrote to memory of 2864 2024 D05D4A~1.EXE 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe"C:\Users\Admin\AppData\Local\Temp\d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\3582-490\d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d05d4ac1e9aa6339e886ea2198df447cea8708dfc357c7b22cb378c30a0a775fN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE18⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE20⤵
- Executes dropped EXE
PID:820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE22⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE24⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE26⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE28⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE30⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE34⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1620 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE40⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE42⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE44⤵
- Executes dropped EXE
PID:692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE46⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE48⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE52⤵
- Executes dropped EXE
PID:780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE54⤵
- Executes dropped EXE
PID:836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE56⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE58⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"59⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE60⤵
- Executes dropped EXE
PID:908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"61⤵
- Executes dropped EXE
PID:916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"63⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"65⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE66⤵PID:2536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"67⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE68⤵PID:1584
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE70⤵PID:2916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"71⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE72⤵PID:2796
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"73⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE74⤵PID:1580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"75⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE76⤵PID:2880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"77⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE78⤵PID:3068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"79⤵
- Drops file in Windows directory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE80⤵PID:1620
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"81⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE82⤵PID:2684
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"83⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE84⤵PID:2508
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"85⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE86⤵PID:1280
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"87⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE88⤵PID:2956
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"89⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE90⤵
- Drops file in Windows directory
PID:1176 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"91⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE92⤵PID:844
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"93⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE94⤵PID:1144
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"95⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE96⤵PID:952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"97⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE98⤵PID:1676
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"99⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE100⤵PID:2132
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"101⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE102⤵PID:1400
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"103⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE104⤵PID:1740
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"105⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE106⤵PID:2144
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"107⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE108⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"109⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE110⤵PID:1488
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"111⤵
- Drops file in Windows directory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE112⤵PID:2896
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"113⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE114⤵PID:2768
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"115⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE116⤵PID:2984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"117⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE118⤵PID:804
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"119⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE120⤵PID:2636
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\D05D4A~1.EXE"121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-