Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 21:49
Behavioral task
behavioral1
Sample
3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe
-
Size
3.3MB
-
MD5
70aa341fcacbabd0dd857f91b23b5649
-
SHA1
f5ac5b932c9730579d8cea4edeb47d66220d6299
-
SHA256
3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236
-
SHA512
1be761410c91fb1e5d4d635a6cdbadb68c8fd30d63e9486889655351ac0feb1224fd2a12e4e70f256162da6fb0ee49be3cff39e2a58cc688f1db147f3dd67d97
-
SSDEEP
49152:nglZ4ThD+gGTZbqZK95S4pTiX2EUqMzADxulO7Udq+KqOuBk7bVnU7woM2JtY:bs6Gwxul1EE4wJ
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016d27-2.dat family_neshta behavioral1/files/0x0008000000016d30-15.dat family_neshta behavioral1/files/0x0001000000010318-20.dat family_neshta behavioral1/files/0x0001000000010316-19.dat family_neshta behavioral1/files/0x001400000000f842-18.dat family_neshta behavioral1/files/0x005b00000001032b-17.dat family_neshta behavioral1/memory/2652-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2728-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1056-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2236-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1160-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2484-81-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1276-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7dd-100.dat family_neshta behavioral1/files/0x000100000000f77b-103.dat family_neshta behavioral1/files/0x000100000000f7d8-97.dat family_neshta behavioral1/files/0x000100000000f7eb-109.dat family_neshta behavioral1/files/0x000100000000f833-126.dat family_neshta behavioral1/files/0x000100000000f877-135.dat family_neshta behavioral1/memory/476-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000001036a-142.dat family_neshta behavioral1/memory/2208-139-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x0001000000010c16-145.dat family_neshta behavioral1/memory/2524-174-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1940-173-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2196-179-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1000-180-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1540-190-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2336-189-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1636-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2304-218-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/900-217-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1572-232-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-231-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2508-254-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1612-253-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2856-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2728-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1240-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1056-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1160-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1840-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2684-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2924-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2900-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2876-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2144-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1780-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3036-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2384-356-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1028-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1836-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2244-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/636-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/884-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2360-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1616-388-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1560-387-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1324-396-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/340-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1744-404-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2652 svchost.com 2728 3C8953~1.EXE 2544 svchost.com 1056 3C8953~1.EXE 2236 svchost.com 1160 3C8953~1.EXE 1276 svchost.com 2484 3C8953~1.EXE 584 svchost.com 692 3C8953~1.EXE 2892 svchost.com 2060 3C8953~1.EXE 476 svchost.com 2208 3C8953~1.EXE 444 svchost.com 1692 3C8953~1.EXE 2524 svchost.com 1940 3C8953~1.EXE 1000 svchost.com 2196 3C8953~1.EXE 1540 svchost.com 2336 3C8953~1.EXE 1636 svchost.com 2140 3C8953~1.EXE 2304 svchost.com 900 3C8953~1.EXE 1572 svchost.com 1984 3C8953~1.EXE 2508 svchost.com 1612 3C8953~1.EXE 2856 svchost.com 2728 3C8953~1.EXE 1056 svchost.com 1240 3C8953~1.EXE 1160 svchost.com 1840 3C8953~1.EXE 2684 svchost.com 2868 3C8953~1.EXE 2924 svchost.com 2900 3C8953~1.EXE 2876 svchost.com 596 3C8953~1.EXE 2144 svchost.com 1780 3C8953~1.EXE 3036 svchost.com 1088 3C8953~1.EXE 2384 svchost.com 1028 3C8953~1.EXE 1836 svchost.com 2244 3C8953~1.EXE 2504 svchost.com 636 3C8953~1.EXE 884 svchost.com 2360 3C8953~1.EXE 1560 svchost.com 1616 3C8953~1.EXE 340 svchost.com 1324 3C8953~1.EXE 1744 svchost.com 1544 3C8953~1.EXE 816 svchost.com 1872 3C8953~1.EXE 2940 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2652 svchost.com 2652 svchost.com 2544 svchost.com 2544 svchost.com 2236 svchost.com 2236 svchost.com 1276 svchost.com 1276 svchost.com 584 svchost.com 584 svchost.com 2892 svchost.com 2892 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 476 svchost.com 476 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 444 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 444 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2524 svchost.com 2524 svchost.com 1000 svchost.com 1000 svchost.com 1540 svchost.com 1540 svchost.com 1636 svchost.com 1636 svchost.com 2304 svchost.com 2304 svchost.com 1572 svchost.com 1572 svchost.com 2508 svchost.com 2508 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 2856 svchost.com 2856 svchost.com 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 1056 svchost.com 1056 svchost.com 1160 svchost.com 1160 svchost.com 2684 svchost.com 2684 svchost.com 2924 svchost.com 2924 svchost.com 2876 svchost.com 2876 svchost.com 2144 svchost.com 2144 svchost.com 3036 svchost.com 3036 svchost.com 2384 svchost.com 2384 svchost.com 1836 svchost.com 1836 svchost.com 2504 svchost.com 2504 svchost.com 884 svchost.com 884 svchost.com 1560 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 3C8953~1.EXE File opened for modification C:\Windows\svchost.com 3C8953~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C8953~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2708 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 30 PID 2776 wrote to memory of 2708 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 30 PID 2776 wrote to memory of 2708 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 30 PID 2776 wrote to memory of 2708 2776 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 30 PID 2708 wrote to memory of 2652 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 31 PID 2708 wrote to memory of 2652 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 31 PID 2708 wrote to memory of 2652 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 31 PID 2708 wrote to memory of 2652 2708 3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe 31 PID 2652 wrote to memory of 2728 2652 svchost.com 62 PID 2652 wrote to memory of 2728 2652 svchost.com 62 PID 2652 wrote to memory of 2728 2652 svchost.com 62 PID 2652 wrote to memory of 2728 2652 svchost.com 62 PID 2728 wrote to memory of 2544 2728 3C8953~1.EXE 103 PID 2728 wrote to memory of 2544 2728 3C8953~1.EXE 103 PID 2728 wrote to memory of 2544 2728 3C8953~1.EXE 103 PID 2728 wrote to memory of 2544 2728 3C8953~1.EXE 103 PID 2544 wrote to memory of 1056 2544 svchost.com 63 PID 2544 wrote to memory of 1056 2544 svchost.com 63 PID 2544 wrote to memory of 1056 2544 svchost.com 63 PID 2544 wrote to memory of 1056 2544 svchost.com 63 PID 1056 wrote to memory of 2236 1056 3C8953~1.EXE 106 PID 1056 wrote to memory of 2236 1056 3C8953~1.EXE 106 PID 1056 wrote to memory of 2236 1056 3C8953~1.EXE 106 PID 1056 wrote to memory of 2236 1056 3C8953~1.EXE 106 PID 2236 wrote to memory of 1160 2236 svchost.com 65 PID 2236 wrote to memory of 1160 2236 svchost.com 65 PID 2236 wrote to memory of 1160 2236 svchost.com 65 PID 2236 wrote to memory of 1160 2236 svchost.com 65 PID 1160 wrote to memory of 1276 1160 3C8953~1.EXE 37 PID 1160 wrote to memory of 1276 1160 3C8953~1.EXE 37 PID 1160 wrote to memory of 1276 1160 3C8953~1.EXE 37 PID 1160 wrote to memory of 1276 1160 3C8953~1.EXE 37 PID 1276 wrote to memory of 2484 1276 svchost.com 38 PID 1276 wrote to memory of 2484 1276 svchost.com 38 PID 1276 wrote to memory of 2484 1276 svchost.com 38 PID 1276 wrote to memory of 2484 1276 svchost.com 38 PID 2484 wrote to memory of 584 2484 3C8953~1.EXE 39 PID 2484 wrote to memory of 584 2484 3C8953~1.EXE 39 PID 2484 wrote to memory of 584 2484 3C8953~1.EXE 39 PID 2484 wrote to memory of 584 2484 3C8953~1.EXE 39 PID 584 wrote to memory of 692 584 svchost.com 40 PID 584 wrote to memory of 692 584 svchost.com 40 PID 584 wrote to memory of 692 584 svchost.com 40 PID 584 wrote to memory of 692 584 svchost.com 40 PID 692 wrote to memory of 2892 692 3C8953~1.EXE 41 PID 692 wrote to memory of 2892 692 3C8953~1.EXE 41 PID 692 wrote to memory of 2892 692 3C8953~1.EXE 41 PID 692 wrote to memory of 2892 692 3C8953~1.EXE 41 PID 2892 wrote to memory of 2060 2892 svchost.com 42 PID 2892 wrote to memory of 2060 2892 svchost.com 42 PID 2892 wrote to memory of 2060 2892 svchost.com 42 PID 2892 wrote to memory of 2060 2892 svchost.com 42 PID 2060 wrote to memory of 476 2060 3C8953~1.EXE 43 PID 2060 wrote to memory of 476 2060 3C8953~1.EXE 43 PID 2060 wrote to memory of 476 2060 3C8953~1.EXE 43 PID 2060 wrote to memory of 476 2060 3C8953~1.EXE 43 PID 476 wrote to memory of 2208 476 svchost.com 44 PID 476 wrote to memory of 2208 476 svchost.com 44 PID 476 wrote to memory of 2208 476 svchost.com 44 PID 476 wrote to memory of 2208 476 svchost.com 44 PID 2208 wrote to memory of 444 2208 3C8953~1.EXE 123 PID 2208 wrote to memory of 444 2208 3C8953~1.EXE 123 PID 2208 wrote to memory of 444 2208 3C8953~1.EXE 123 PID 2208 wrote to memory of 444 2208 3C8953~1.EXE 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe"C:\Users\Admin\AppData\Local\Temp\3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\3c89537f3f78c9943a03ecba118fa6434a92e992ffeef8b70a6966272ea96236.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE18⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE20⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE24⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE28⤵
- Executes dropped EXE
PID:900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE30⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE34⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE36⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE40⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE42⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE44⤵
- Executes dropped EXE
PID:596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE48⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE50⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE54⤵
- Executes dropped EXE
PID:636 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE56⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE60⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"61⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE62⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"63⤵
- Executes dropped EXE
PID:816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"65⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE66⤵PID:1964
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"67⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE68⤵PID:2468
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE70⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"71⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE72⤵PID:2604
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"73⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE74⤵PID:1456
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE76⤵PID:1272
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"77⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE78⤵PID:2236
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"79⤵
- Drops file in Windows directory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE80⤵PID:1736
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"81⤵
- Drops file in Windows directory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE82⤵
- Drops file in Windows directory
PID:2864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"83⤵
- Drops file in Windows directory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE84⤵PID:2948
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"85⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE86⤵PID:1760
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"87⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE88⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"89⤵
- Drops file in Windows directory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE90⤵PID:2852
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"91⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE92⤵PID:2228
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"93⤵
- Drops file in Windows directory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE94⤵PID:1300
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"95⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE96⤵PID:2316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"97⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE98⤵PID:1520
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"99⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE100⤵PID:1000
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"101⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE102⤵PID:2024
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"103⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE104⤵
- Drops file in Windows directory
PID:1756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"105⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE106⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"107⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE108⤵PID:2512
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"109⤵
- Drops file in Windows directory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE110⤵PID:2140
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"111⤵
- Drops file in Windows directory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE112⤵PID:1984
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"113⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE114⤵PID:2836
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"115⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE116⤵PID:1612
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"117⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE118⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"119⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE120⤵PID:2248
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3C8953~1.EXE"121⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-