Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-01-2025 22:10
Behavioral task
behavioral1
Sample
8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe
Resource
win10v2004-20241007-en
General
-
Target
8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe
-
Size
421KB
-
MD5
fe87b245f7e04c6a0cca6537ee7cb5c0
-
SHA1
5812a333abb62e228f3a53f8af51549f3991efd6
-
SHA256
8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995a
-
SHA512
12bdf8adf548cd450421ea9ea9ff775a78f85b2709ebe2f6daa833e9d19331ea2a15aabae5c4771a1f2f60d94a8372e5c6c57c3373f050a612355596cd7c960e
-
SSDEEP
6144:k9T28RWVuLA3pXu5Ytw2GQQjthTr4sGmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRH:+hIVuLcu5cw2GQQjnrrc
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000014714-4.dat family_neshta behavioral1/files/0x000800000001471c-15.dat family_neshta behavioral1/files/0x0001000000010318-20.dat family_neshta behavioral1/files/0x0001000000010316-19.dat family_neshta behavioral1/files/0x001400000000f842-17.dat family_neshta behavioral1/files/0x005b00000001032b-16.dat family_neshta behavioral1/memory/2832-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2056-29-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2644-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2580-57-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2628-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-71-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2612-87-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/324-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/692-99-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/600-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1476-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1848-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7eb-136.dat family_neshta behavioral1/files/0x000100000000f7cf-135.dat family_neshta behavioral1/files/0x000100000000f77b-134.dat family_neshta behavioral1/files/0x000100000000f7dd-132.dat family_neshta behavioral1/memory/1296-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1544-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2312-140-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1528-139-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2252-160-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1980-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-173-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1924-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/408-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2192-193-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1256-206-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1636-205-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/768-221-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-222-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1228-236-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1928-237-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/860-258-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2204-256-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2860-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1712-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3048-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2776-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2528-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2640-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2816-316-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2508-325-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2604-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2828-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1776-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/568-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1652-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/556-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1484-349-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1432-356-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2020-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2008-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2312-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2552-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2832 svchost.com 2056 8E113F~1.EXE 2648 svchost.com 2644 8E113F~1.EXE 2868 svchost.com 2580 8E113F~1.EXE 2628 svchost.com 2504 8E113F~1.EXE 2612 svchost.com 324 8E113F~1.EXE 600 svchost.com 692 8E113F~1.EXE 1476 svchost.com 1848 8E113F~1.EXE 2312 svchost.com 1528 8E113F~1.EXE 1296 svchost.com 1544 8E113F~1.EXE 2252 svchost.com 1980 8E113F~1.EXE 1924 svchost.com 2676 8E113F~1.EXE 2192 svchost.com 408 8E113F~1.EXE 1256 svchost.com 1636 8E113F~1.EXE 3064 svchost.com 768 8E113F~1.EXE 1928 svchost.com 1228 8E113F~1.EXE 860 svchost.com 2204 8E113F~1.EXE 1712 svchost.com 2860 8E113F~1.EXE 3048 svchost.com 2776 8E113F~1.EXE 2640 svchost.com 2528 8E113F~1.EXE 2808 svchost.com 2816 8E113F~1.EXE 2604 svchost.com 2508 8E113F~1.EXE 2828 svchost.com 1776 8E113F~1.EXE 1652 svchost.com 568 8E113F~1.EXE 1484 svchost.com 556 8E113F~1.EXE 2020 svchost.com 1432 8E113F~1.EXE 2008 svchost.com 1284 8E113F~1.EXE 2552 svchost.com 2312 8E113F~1.EXE 2024 svchost.com 1796 8E113F~1.EXE 2264 svchost.com 2468 8E113F~1.EXE 1956 svchost.com 1948 8E113F~1.EXE 2716 svchost.com 3044 8E113F~1.EXE 1924 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2832 svchost.com 2832 svchost.com 2648 svchost.com 2648 svchost.com 2868 svchost.com 2868 svchost.com 2628 svchost.com 2628 svchost.com 2612 svchost.com 2612 svchost.com 600 svchost.com 600 svchost.com 1476 svchost.com 1476 svchost.com 2312 svchost.com 2312 svchost.com 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 1296 svchost.com 1296 svchost.com 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2252 svchost.com 2252 svchost.com 1924 svchost.com 1924 svchost.com 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2192 svchost.com 2192 svchost.com 1256 svchost.com 1256 svchost.com 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 3064 svchost.com 3064 svchost.com 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 1928 svchost.com 1928 svchost.com 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 860 svchost.com 860 svchost.com 1712 svchost.com 1712 svchost.com 3048 svchost.com 3048 svchost.com 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 2640 svchost.com 2640 svchost.com 2808 svchost.com 2808 svchost.com 2604 svchost.com 2604 svchost.com 2828 svchost.com 2828 svchost.com 1652 svchost.com 1652 svchost.com 1484 svchost.com 1484 svchost.com 2020 svchost.com 2020 svchost.com 2008 svchost.com 2008 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE File opened for modification C:\Windows\svchost.com 8E113F~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8E113F~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2920 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 28 PID 1684 wrote to memory of 2920 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 28 PID 1684 wrote to memory of 2920 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 28 PID 1684 wrote to memory of 2920 1684 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 28 PID 2920 wrote to memory of 2832 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 29 PID 2920 wrote to memory of 2832 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 29 PID 2920 wrote to memory of 2832 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 29 PID 2920 wrote to memory of 2832 2920 8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe 29 PID 2832 wrote to memory of 2056 2832 svchost.com 30 PID 2832 wrote to memory of 2056 2832 svchost.com 30 PID 2832 wrote to memory of 2056 2832 svchost.com 30 PID 2832 wrote to memory of 2056 2832 svchost.com 30 PID 2056 wrote to memory of 2648 2056 8E113F~1.EXE 31 PID 2056 wrote to memory of 2648 2056 8E113F~1.EXE 31 PID 2056 wrote to memory of 2648 2056 8E113F~1.EXE 31 PID 2056 wrote to memory of 2648 2056 8E113F~1.EXE 31 PID 2648 wrote to memory of 2644 2648 svchost.com 32 PID 2648 wrote to memory of 2644 2648 svchost.com 32 PID 2648 wrote to memory of 2644 2648 svchost.com 32 PID 2648 wrote to memory of 2644 2648 svchost.com 32 PID 2644 wrote to memory of 2868 2644 8E113F~1.EXE 33 PID 2644 wrote to memory of 2868 2644 8E113F~1.EXE 33 PID 2644 wrote to memory of 2868 2644 8E113F~1.EXE 33 PID 2644 wrote to memory of 2868 2644 8E113F~1.EXE 33 PID 2868 wrote to memory of 2580 2868 svchost.com 34 PID 2868 wrote to memory of 2580 2868 svchost.com 34 PID 2868 wrote to memory of 2580 2868 svchost.com 34 PID 2868 wrote to memory of 2580 2868 svchost.com 34 PID 2580 wrote to memory of 2628 2580 8E113F~1.EXE 35 PID 2580 wrote to memory of 2628 2580 8E113F~1.EXE 35 PID 2580 wrote to memory of 2628 2580 8E113F~1.EXE 35 PID 2580 wrote to memory of 2628 2580 8E113F~1.EXE 35 PID 2628 wrote to memory of 2504 2628 svchost.com 36 PID 2628 wrote to memory of 2504 2628 svchost.com 36 PID 2628 wrote to memory of 2504 2628 svchost.com 36 PID 2628 wrote to memory of 2504 2628 svchost.com 36 PID 2504 wrote to memory of 2612 2504 8E113F~1.EXE 37 PID 2504 wrote to memory of 2612 2504 8E113F~1.EXE 37 PID 2504 wrote to memory of 2612 2504 8E113F~1.EXE 37 PID 2504 wrote to memory of 2612 2504 8E113F~1.EXE 37 PID 2612 wrote to memory of 324 2612 svchost.com 38 PID 2612 wrote to memory of 324 2612 svchost.com 38 PID 2612 wrote to memory of 324 2612 svchost.com 38 PID 2612 wrote to memory of 324 2612 svchost.com 38 PID 324 wrote to memory of 600 324 8E113F~1.EXE 39 PID 324 wrote to memory of 600 324 8E113F~1.EXE 39 PID 324 wrote to memory of 600 324 8E113F~1.EXE 39 PID 324 wrote to memory of 600 324 8E113F~1.EXE 39 PID 600 wrote to memory of 692 600 svchost.com 40 PID 600 wrote to memory of 692 600 svchost.com 40 PID 600 wrote to memory of 692 600 svchost.com 40 PID 600 wrote to memory of 692 600 svchost.com 40 PID 692 wrote to memory of 1476 692 8E113F~1.EXE 41 PID 692 wrote to memory of 1476 692 8E113F~1.EXE 41 PID 692 wrote to memory of 1476 692 8E113F~1.EXE 41 PID 692 wrote to memory of 1476 692 8E113F~1.EXE 41 PID 1476 wrote to memory of 1848 1476 svchost.com 42 PID 1476 wrote to memory of 1848 1476 svchost.com 42 PID 1476 wrote to memory of 1848 1476 svchost.com 42 PID 1476 wrote to memory of 1848 1476 svchost.com 42 PID 1848 wrote to memory of 2312 1848 8E113F~1.EXE 82 PID 1848 wrote to memory of 2312 1848 8E113F~1.EXE 82 PID 1848 wrote to memory of 2312 1848 8E113F~1.EXE 82 PID 1848 wrote to memory of 2312 1848 8E113F~1.EXE 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe"C:\Users\Admin\AppData\Local\Temp\8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\8e113fccdafba84e2b6b7d89e8a986cb812841733bcfbef3c06180dc479d995aN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE18⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE20⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE22⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE26⤵
- Executes dropped EXE
PID:408 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE30⤵
- Executes dropped EXE
PID:768 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE36⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE38⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE40⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE42⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE44⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE46⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE48⤵
- Executes dropped EXE
PID:568 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE50⤵
- Executes dropped EXE
PID:556 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE52⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE54⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"55⤵
- Executes dropped EXE
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE56⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"57⤵
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"59⤵
- Executes dropped EXE
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE60⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"61⤵
- Executes dropped EXE
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE62⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"63⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE64⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"65⤵
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE66⤵PID:1576
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"67⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE68⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"69⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE70⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"71⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE72⤵PID:1160
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"73⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE74⤵PID:2200
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"75⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE76⤵PID:2232
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"77⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE78⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"79⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE80⤵PID:2112
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"81⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE82⤵
- Drops file in Windows directory
PID:1052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"83⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE84⤵PID:2836
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"85⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE86⤵PID:2768
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE88⤵PID:2872
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"89⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE90⤵PID:2824
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"91⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE92⤵PID:2812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"93⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE94⤵
- Drops file in Windows directory
PID:2508 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"95⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE96⤵PID:2952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"97⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE98⤵PID:2612
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"99⤵
- Drops file in Windows directory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE100⤵PID:1484
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"101⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE102⤵
- Drops file in Windows directory
PID:1976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"103⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE104⤵PID:2008
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"105⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE106⤵PID:2304
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"107⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE108⤵PID:1796
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"109⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE110⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"111⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE112⤵PID:1956
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"113⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE114⤵
- Drops file in Windows directory
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"115⤵
- Drops file in Windows directory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE116⤵PID:1608
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"117⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE118⤵PID:3032
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"119⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE120⤵PID:2080
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE"121⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\8E113F~1.EXE122⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-