Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-01-2025 03:00
Behavioral task
behavioral1
Sample
c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
Behavioral task
behavioral2
Sample
c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
-
Size
1.9MB
-
MD5
92f3d1d15ba772bd14dc2316915b7e00
-
SHA1
7268cbe49243e8125c9540b9f6d91e5e1a77e8b8
-
SHA256
c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480
-
SHA512
4f5ec39e45334290a8c435b6ba6865916efbf50eb5a9c5b84b684540d004119c24c1dde0a1a2a56535975f953a0861bf4b2fccc57307a62dd7c2d4be473ba7b9
-
SSDEEP
49152:5W+KX91+mP9BzpyLbv98QuyyPhNqxMXkUcLg2HyqbAa:fKX91+mP7zpyLbv98QuyyPhgxMXkUsgV
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0009000000015cfd-2.dat family_neshta behavioral1/files/0x0001000000010318-20.dat family_neshta behavioral1/files/0x0001000000010316-19.dat family_neshta behavioral1/files/0x001400000000f842-18.dat family_neshta behavioral1/files/0x005b00000001032b-17.dat family_neshta behavioral1/files/0x0008000000015d19-16.dat family_neshta behavioral1/memory/2660-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-29-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2732-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2708-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1624-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2948-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2716-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2576-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7d8-98.dat family_neshta behavioral1/memory/2700-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1020-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7cf-105.dat family_neshta behavioral1/files/0x000100000000f77b-104.dat family_neshta behavioral1/files/0x000100000000f7dd-103.dat family_neshta behavioral1/memory/1852-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f877-146.dat family_neshta behavioral1/memory/2756-160-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1520-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2620-172-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/440-171-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1864-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1348-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1868-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1244-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/636-199-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/852-189-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1808-214-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1308-213-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2484-112-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/988-228-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1848-229-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1488-260-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2116-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2720-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2824-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3004-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2616-286-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2976-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2580-294-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2716-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2156-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/376-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2416-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/336-334-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1932-342-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2816-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2988-350-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1540-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1048-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2608-358-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3056-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/908-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2876-326-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2624-318-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2748-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2656-302-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1964-374-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2660 svchost.com 2408 C85F4D~1.EXE 2708 svchost.com 2732 C85F4D~1.EXE 1624 svchost.com 2948 C85F4D~1.EXE 2716 svchost.com 2576 C85F4D~1.EXE 2700 svchost.com 1020 C85F4D~1.EXE 1852 svchost.com 2484 C85F4D~1.EXE 1864 svchost.com 1348 C85F4D~1.EXE 1520 svchost.com 2756 C85F4D~1.EXE 2620 svchost.com 440 C85F4D~1.EXE 1868 svchost.com 852 C85F4D~1.EXE 1244 svchost.com 636 C85F4D~1.EXE 1808 svchost.com 1308 C85F4D~1.EXE 1848 svchost.com 988 C85F4D~1.EXE 2116 svchost.com 1488 C85F4D~1.EXE 2720 svchost.com 2824 C85F4D~1.EXE 3004 svchost.com 2616 C85F4D~1.EXE 2976 svchost.com 2580 C85F4D~1.EXE 2748 svchost.com 2656 C85F4D~1.EXE 2716 svchost.com 2156 C85F4D~1.EXE 376 svchost.com 2624 C85F4D~1.EXE 1540 svchost.com 2876 C85F4D~1.EXE 2416 svchost.com 336 C85F4D~1.EXE 2816 svchost.com 1932 C85F4D~1.EXE 2888 svchost.com 2988 C85F4D~1.EXE 1048 svchost.com 2608 C85F4D~1.EXE 3056 svchost.com 908 C85F4D~1.EXE 1964 svchost.com 1980 C85F4D~1.EXE 2304 svchost.com 2420 C85F4D~1.EXE 2496 svchost.com 852 C85F4D~1.EXE 2264 svchost.com 2996 C85F4D~1.EXE 2248 svchost.com 2464 C85F4D~1.EXE 556 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2660 svchost.com 2660 svchost.com 2708 svchost.com 2708 svchost.com 1624 svchost.com 1624 svchost.com 2716 svchost.com 2716 svchost.com 2700 svchost.com 2700 svchost.com 1852 svchost.com 1852 svchost.com 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 1864 svchost.com 1864 svchost.com 1520 svchost.com 1520 svchost.com 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2620 svchost.com 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2620 svchost.com 1868 svchost.com 1868 svchost.com 1244 svchost.com 1244 svchost.com 1808 svchost.com 1808 svchost.com 1848 svchost.com 1848 svchost.com 2116 svchost.com 2116 svchost.com 2720 svchost.com 2720 svchost.com 3004 svchost.com 3004 svchost.com 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 2976 svchost.com 2976 svchost.com 2748 svchost.com 2748 svchost.com 2716 svchost.com 2716 svchost.com 376 svchost.com 376 svchost.com 1540 svchost.com 1540 svchost.com 2416 svchost.com 2416 svchost.com 2816 svchost.com 2816 svchost.com 2888 svchost.com 2888 svchost.com 1048 svchost.com 1048 svchost.com 3056 svchost.com 3056 svchost.com 1964 svchost.com 1964 svchost.com 2304 svchost.com 2304 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: C85F4D~1.EXE File opened (read-only) \??\B: C85F4D~1.EXE File opened (read-only) \??\J: C85F4D~1.EXE File opened (read-only) \??\O: C85F4D~1.EXE File opened (read-only) \??\R: C85F4D~1.EXE File opened (read-only) \??\S: C85F4D~1.EXE File opened (read-only) \??\U: C85F4D~1.EXE File opened (read-only) \??\W: C85F4D~1.EXE File opened (read-only) \??\E: C85F4D~1.EXE File opened (read-only) \??\G: C85F4D~1.EXE File opened (read-only) \??\L: C85F4D~1.EXE File opened (read-only) \??\M: C85F4D~1.EXE File opened (read-only) \??\P: C85F4D~1.EXE File opened (read-only) \??\V: C85F4D~1.EXE File opened (read-only) \??\H: C85F4D~1.EXE File opened (read-only) \??\I: C85F4D~1.EXE File opened (read-only) \??\K: C85F4D~1.EXE File opened (read-only) \??\Q: C85F4D~1.EXE File opened (read-only) \??\T: C85F4D~1.EXE File opened (read-only) \??\Y: C85F4D~1.EXE File opened (read-only) \??\N: C85F4D~1.EXE File opened (read-only) \??\X: C85F4D~1.EXE File opened (read-only) \??\Z: C85F4D~1.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys C85F4D~1.EXE File opened for modification C:\Windows\svchost.com C85F4D~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C85F4D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2688 C85F4D~1.EXE Token: SeDebugPrivilege 2688 C85F4D~1.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2688 C85F4D~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2348 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 31 PID 2028 wrote to memory of 2348 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 31 PID 2028 wrote to memory of 2348 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 31 PID 2028 wrote to memory of 2348 2028 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 31 PID 2348 wrote to memory of 2660 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 32 PID 2348 wrote to memory of 2660 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 32 PID 2348 wrote to memory of 2660 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 32 PID 2348 wrote to memory of 2660 2348 c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe 32 PID 2660 wrote to memory of 2408 2660 svchost.com 33 PID 2660 wrote to memory of 2408 2660 svchost.com 33 PID 2660 wrote to memory of 2408 2660 svchost.com 33 PID 2660 wrote to memory of 2408 2660 svchost.com 33 PID 2408 wrote to memory of 2708 2408 C85F4D~1.EXE 34 PID 2408 wrote to memory of 2708 2408 C85F4D~1.EXE 34 PID 2408 wrote to memory of 2708 2408 C85F4D~1.EXE 34 PID 2408 wrote to memory of 2708 2408 C85F4D~1.EXE 34 PID 2708 wrote to memory of 2732 2708 svchost.com 35 PID 2708 wrote to memory of 2732 2708 svchost.com 35 PID 2708 wrote to memory of 2732 2708 svchost.com 35 PID 2708 wrote to memory of 2732 2708 svchost.com 35 PID 2732 wrote to memory of 1624 2732 C85F4D~1.EXE 36 PID 2732 wrote to memory of 1624 2732 C85F4D~1.EXE 36 PID 2732 wrote to memory of 1624 2732 C85F4D~1.EXE 36 PID 2732 wrote to memory of 1624 2732 C85F4D~1.EXE 36 PID 1624 wrote to memory of 2948 1624 svchost.com 37 PID 1624 wrote to memory of 2948 1624 svchost.com 37 PID 1624 wrote to memory of 2948 1624 svchost.com 37 PID 1624 wrote to memory of 2948 1624 svchost.com 37 PID 2948 wrote to memory of 2716 2948 C85F4D~1.EXE 68 PID 2948 wrote to memory of 2716 2948 C85F4D~1.EXE 68 PID 2948 wrote to memory of 2716 2948 C85F4D~1.EXE 68 PID 2948 wrote to memory of 2716 2948 C85F4D~1.EXE 68 PID 2716 wrote to memory of 2576 2716 svchost.com 39 PID 2716 wrote to memory of 2576 2716 svchost.com 39 PID 2716 wrote to memory of 2576 2716 svchost.com 39 PID 2716 wrote to memory of 2576 2716 svchost.com 39 PID 2576 wrote to memory of 2700 2576 C85F4D~1.EXE 116 PID 2576 wrote to memory of 2700 2576 C85F4D~1.EXE 116 PID 2576 wrote to memory of 2700 2576 C85F4D~1.EXE 116 PID 2576 wrote to memory of 2700 2576 C85F4D~1.EXE 116 PID 2700 wrote to memory of 1020 2700 svchost.com 123 PID 2700 wrote to memory of 1020 2700 svchost.com 123 PID 2700 wrote to memory of 1020 2700 svchost.com 123 PID 2700 wrote to memory of 1020 2700 svchost.com 123 PID 1020 wrote to memory of 1852 1020 C85F4D~1.EXE 42 PID 1020 wrote to memory of 1852 1020 C85F4D~1.EXE 42 PID 1020 wrote to memory of 1852 1020 C85F4D~1.EXE 42 PID 1020 wrote to memory of 1852 1020 C85F4D~1.EXE 42 PID 1852 wrote to memory of 2484 1852 svchost.com 43 PID 1852 wrote to memory of 2484 1852 svchost.com 43 PID 1852 wrote to memory of 2484 1852 svchost.com 43 PID 1852 wrote to memory of 2484 1852 svchost.com 43 PID 2484 wrote to memory of 1864 2484 C85F4D~1.EXE 44 PID 2484 wrote to memory of 1864 2484 C85F4D~1.EXE 44 PID 2484 wrote to memory of 1864 2484 C85F4D~1.EXE 44 PID 2484 wrote to memory of 1864 2484 C85F4D~1.EXE 44 PID 1864 wrote to memory of 1348 1864 svchost.com 45 PID 1864 wrote to memory of 1348 1864 svchost.com 45 PID 1864 wrote to memory of 1348 1864 svchost.com 45 PID 1864 wrote to memory of 1348 1864 svchost.com 45 PID 1348 wrote to memory of 1520 1348 C85F4D~1.EXE 46 PID 1348 wrote to memory of 1520 1348 C85F4D~1.EXE 46 PID 1348 wrote to memory of 1520 1348 C85F4D~1.EXE 46 PID 1348 wrote to memory of 1520 1348 C85F4D~1.EXE 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"C:\Users\Admin\AppData\Local\Temp\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE18⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE20⤵
- Executes dropped EXE
PID:440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE22⤵
- Executes dropped EXE
PID:852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE24⤵
- Executes dropped EXE
PID:636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE26⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE28⤵
- Executes dropped EXE
PID:988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE32⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE38⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE40⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE42⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE44⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE52⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE54⤵
- Executes dropped EXE
PID:908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE58⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"59⤵
- Executes dropped EXE
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE60⤵
- Executes dropped EXE
PID:852 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE62⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"63⤵
- Executes dropped EXE
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"65⤵
- Executes dropped EXE
PID:556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE66⤵PID:2320
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"67⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE68⤵PID:800
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE70⤵PID:3048
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"71⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE72⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"73⤵
- Drops file in Windows directory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE74⤵PID:2852
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"75⤵
- Drops file in Windows directory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE76⤵PID:2784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"77⤵
- Drops file in Windows directory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE78⤵PID:2824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"79⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE80⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"81⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE82⤵PID:2828
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"83⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE84⤵PID:2644
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"85⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE86⤵PID:2208
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"87⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE88⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"89⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE90⤵PID:2052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"91⤵
- Drops file in Windows directory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE92⤵PID:2104
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"93⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE94⤵PID:1020
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"95⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE96⤵PID:1932
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"97⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE98⤵PID:1724
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"99⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE100⤵PID:2608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"101⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE102⤵PID:908
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"103⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE104⤵PID:980
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"105⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE106⤵PID:1784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"107⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE108⤵PID:692
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"109⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE110⤵PID:1400
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"111⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE112⤵PID:2464
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"113⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE114⤵PID:1872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"115⤵
- Drops file in Windows directory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE116⤵
- Drops file in Windows directory
PID:988 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"117⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE118⤵PID:880
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"119⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE120⤵
- Drops file in Windows directory
PID:2528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"121⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-