Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 05:24
Behavioral task
behavioral1
Sample
bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe
-
Size
186KB
-
MD5
e14a06b2ad96a52868902869a5f13e90
-
SHA1
20c3915c279a8703f1cdab644a9185e65987df7f
-
SHA256
bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0
-
SHA512
a5990276f674bb39942bfe87357d5b40edeb85502e6d388ffcb1c094f55dabdd1cfc402369bfea9bc4bfa72fee139c24f40d28c95fcd253e43d7afa53b546f30
-
SSDEEP
3072:sr85CkkbAYn2GgYlBYN2fHYTo+JZr85Czr85C:k9xbAMpgY3gTD9P9
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x00060000000191fd-6.dat family_neshta behavioral1/files/0x0006000000019217-13.dat family_neshta behavioral1/files/0x0001000000010318-20.dat family_neshta behavioral1/files/0x0001000000010316-19.dat family_neshta behavioral1/files/0x001400000000f842-17.dat family_neshta behavioral1/files/0x005b00000001032b-16.dat family_neshta behavioral1/memory/1760-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2772-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2696-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-43-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2784-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1824-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2556-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2972-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1356-87-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/288-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/852-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1788-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1624-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/768-127-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2000-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/952-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2372-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/files/0x000100000000f7dd-141.dat family_neshta behavioral1/memory/972-169-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1076-168-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/800-186-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/596-185-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1644-198-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1232-197-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2344-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2104-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2436-219-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2444-234-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1604-233-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2824-245-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3036-244-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2864-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-270-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2564-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2560-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2620-298-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1816-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1372-306-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1900-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1256-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1868-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/640-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1956-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/532-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1768-347-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/768-356-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2204-355-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2380-363-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2208-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2156-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2876-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/972-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1312-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3004-387-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 1760 svchost.com 2772 BF138D~1.EXE 2696 svchost.com 2820 BF138D~1.EXE 2784 svchost.com 1824 BF138D~1.EXE 2556 svchost.com 2972 BF138D~1.EXE 1356 svchost.com 288 BF138D~1.EXE 852 svchost.com 2016 BF138D~1.EXE 1624 svchost.com 1788 BF138D~1.EXE 2000 svchost.com 768 BF138D~1.EXE 2372 svchost.com 952 BF138D~1.EXE 972 svchost.com 1076 BF138D~1.EXE 800 svchost.com 596 BF138D~1.EXE 1644 svchost.com 1232 BF138D~1.EXE 2344 svchost.com 2104 BF138D~1.EXE 984 svchost.com 2436 BF138D~1.EXE 2444 svchost.com 1604 BF138D~1.EXE 2824 svchost.com 3036 BF138D~1.EXE 2864 svchost.com 2676 BF138D~1.EXE 2564 svchost.com 2536 BF138D~1.EXE 2620 svchost.com 2560 BF138D~1.EXE 1816 svchost.com 1372 BF138D~1.EXE 1900 svchost.com 1256 BF138D~1.EXE 1868 svchost.com 640 BF138D~1.EXE 1984 svchost.com 1956 BF138D~1.EXE 532 svchost.com 1768 BF138D~1.EXE 768 svchost.com 2204 BF138D~1.EXE 2380 svchost.com 2208 BF138D~1.EXE 2156 svchost.com 2876 BF138D~1.EXE 972 svchost.com 1312 BF138D~1.EXE 2520 svchost.com 3004 BF138D~1.EXE 596 svchost.com 564 BF138D~1.EXE 1472 svchost.com 2080 BF138D~1.EXE 1700 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 1760 svchost.com 1760 svchost.com 2696 svchost.com 2696 svchost.com 2784 svchost.com 2784 svchost.com 2556 svchost.com 2556 svchost.com 1356 svchost.com 1356 svchost.com 852 svchost.com 852 svchost.com 1624 svchost.com 1624 svchost.com 2000 svchost.com 2000 svchost.com 2372 svchost.com 2372 svchost.com 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 972 svchost.com 972 svchost.com 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 800 svchost.com 800 svchost.com 1644 svchost.com 1644 svchost.com 2344 svchost.com 2344 svchost.com 984 svchost.com 984 svchost.com 2444 svchost.com 2444 svchost.com 2824 svchost.com 2824 svchost.com 2864 svchost.com 2864 svchost.com 2564 svchost.com 2564 svchost.com 2620 svchost.com 2620 svchost.com 1816 svchost.com 1816 svchost.com 1900 svchost.com 1900 svchost.com 1868 svchost.com 1868 svchost.com 1984 svchost.com 1984 svchost.com 532 svchost.com 532 svchost.com 768 svchost.com 768 svchost.com 2380 svchost.com 2380 svchost.com 2156 svchost.com 2156 svchost.com 972 svchost.com 972 svchost.com 2520 svchost.com 2520 svchost.com 596 svchost.com 596 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys BF138D~1.EXE File opened for modification C:\Windows\svchost.com BF138D~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com BF138D~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BF138D~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2440 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 31 PID 1916 wrote to memory of 2440 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 31 PID 1916 wrote to memory of 2440 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 31 PID 1916 wrote to memory of 2440 1916 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 31 PID 2440 wrote to memory of 1760 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 32 PID 2440 wrote to memory of 1760 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 32 PID 2440 wrote to memory of 1760 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 32 PID 2440 wrote to memory of 1760 2440 bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe 32 PID 1760 wrote to memory of 2772 1760 svchost.com 33 PID 1760 wrote to memory of 2772 1760 svchost.com 33 PID 1760 wrote to memory of 2772 1760 svchost.com 33 PID 1760 wrote to memory of 2772 1760 svchost.com 33 PID 2772 wrote to memory of 2696 2772 BF138D~1.EXE 34 PID 2772 wrote to memory of 2696 2772 BF138D~1.EXE 34 PID 2772 wrote to memory of 2696 2772 BF138D~1.EXE 34 PID 2772 wrote to memory of 2696 2772 BF138D~1.EXE 34 PID 2696 wrote to memory of 2820 2696 svchost.com 35 PID 2696 wrote to memory of 2820 2696 svchost.com 35 PID 2696 wrote to memory of 2820 2696 svchost.com 35 PID 2696 wrote to memory of 2820 2696 svchost.com 35 PID 2820 wrote to memory of 2784 2820 BF138D~1.EXE 36 PID 2820 wrote to memory of 2784 2820 BF138D~1.EXE 36 PID 2820 wrote to memory of 2784 2820 BF138D~1.EXE 36 PID 2820 wrote to memory of 2784 2820 BF138D~1.EXE 36 PID 2784 wrote to memory of 1824 2784 svchost.com 37 PID 2784 wrote to memory of 1824 2784 svchost.com 37 PID 2784 wrote to memory of 1824 2784 svchost.com 37 PID 2784 wrote to memory of 1824 2784 svchost.com 37 PID 1824 wrote to memory of 2556 1824 BF138D~1.EXE 38 PID 1824 wrote to memory of 2556 1824 BF138D~1.EXE 38 PID 1824 wrote to memory of 2556 1824 BF138D~1.EXE 38 PID 1824 wrote to memory of 2556 1824 BF138D~1.EXE 38 PID 2556 wrote to memory of 2972 2556 svchost.com 39 PID 2556 wrote to memory of 2972 2556 svchost.com 39 PID 2556 wrote to memory of 2972 2556 svchost.com 39 PID 2556 wrote to memory of 2972 2556 svchost.com 39 PID 2972 wrote to memory of 1356 2972 BF138D~1.EXE 115 PID 2972 wrote to memory of 1356 2972 BF138D~1.EXE 115 PID 2972 wrote to memory of 1356 2972 BF138D~1.EXE 115 PID 2972 wrote to memory of 1356 2972 BF138D~1.EXE 115 PID 1356 wrote to memory of 288 1356 svchost.com 41 PID 1356 wrote to memory of 288 1356 svchost.com 41 PID 1356 wrote to memory of 288 1356 svchost.com 41 PID 1356 wrote to memory of 288 1356 svchost.com 41 PID 288 wrote to memory of 852 288 BF138D~1.EXE 42 PID 288 wrote to memory of 852 288 BF138D~1.EXE 42 PID 288 wrote to memory of 852 288 BF138D~1.EXE 42 PID 288 wrote to memory of 852 288 BF138D~1.EXE 42 PID 852 wrote to memory of 2016 852 svchost.com 43 PID 852 wrote to memory of 2016 852 svchost.com 43 PID 852 wrote to memory of 2016 852 svchost.com 43 PID 852 wrote to memory of 2016 852 svchost.com 43 PID 2016 wrote to memory of 1624 2016 BF138D~1.EXE 44 PID 2016 wrote to memory of 1624 2016 BF138D~1.EXE 44 PID 2016 wrote to memory of 1624 2016 BF138D~1.EXE 44 PID 2016 wrote to memory of 1624 2016 BF138D~1.EXE 44 PID 1624 wrote to memory of 1788 1624 svchost.com 45 PID 1624 wrote to memory of 1788 1624 svchost.com 45 PID 1624 wrote to memory of 1788 1624 svchost.com 45 PID 1624 wrote to memory of 1788 1624 svchost.com 45 PID 1788 wrote to memory of 2000 1788 BF138D~1.EXE 46 PID 1788 wrote to memory of 2000 1788 BF138D~1.EXE 46 PID 1788 wrote to memory of 2000 1788 BF138D~1.EXE 46 PID 1788 wrote to memory of 2000 1788 BF138D~1.EXE 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe"C:\Users\Admin\AppData\Local\Temp\bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\bf138d875d511ee480e026ff5b7875182fde703bc1df6f84c316f0a7775e45b0N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE18⤵
- Executes dropped EXE
PID:768 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE20⤵
- Executes dropped EXE
PID:952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE22⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE24⤵
- Executes dropped EXE
PID:596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE28⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE30⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE32⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE34⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE36⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE38⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE40⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE44⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE46⤵
- Executes dropped EXE
PID:640 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE48⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE52⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE54⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE56⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1312 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE60⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE62⤵
- Executes dropped EXE
PID:564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"63⤵
- Executes dropped EXE
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE64⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"65⤵
- Executes dropped EXE
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE66⤵PID:2168
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"67⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE68⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"69⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE70⤵PID:1652
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"71⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE72⤵
- Drops file in Windows directory
PID:2112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"73⤵
- Drops file in Windows directory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE74⤵PID:2652
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"75⤵
- Drops file in Windows directory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE76⤵PID:2792
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"77⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE78⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"79⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE80⤵PID:2632
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"81⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE82⤵
- Drops file in Windows directory
PID:2608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"83⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE84⤵PID:2560
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"85⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE86⤵PID:1356
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"87⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE88⤵PID:2272
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"89⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE90⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"91⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE92⤵PID:680
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"93⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE94⤵PID:2912
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"95⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE96⤵PID:1308
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"97⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE98⤵PID:2380
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"99⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE100⤵
- Drops file in Windows directory
PID:2332 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"101⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE102⤵PID:1800
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"103⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE104⤵PID:1672
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"105⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE106⤵PID:1660
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"107⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE108⤵PID:1580
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"109⤵
- Drops file in Windows directory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE110⤵PID:2904
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"111⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE112⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"113⤵
- System Location Discovery: System Language Discovery
PID:984 -
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE114⤵PID:2288
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"115⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE116⤵PID:2624
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"117⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE118⤵PID:3016
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"119⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE120⤵PID:2800
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BF138D~1.EXE"121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-