Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-01-2025 00:43
Behavioral task
behavioral1
Sample
5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe
-
Size
3.8MB
-
MD5
57036bd9f7b0b519e69c5988aeeb9063
-
SHA1
b57bd9bc6567cab34a322a24c9f2bf2415cb3447
-
SHA256
5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85
-
SHA512
dc91d4012f2f27c0e01c8d69aee060f3d912840c49f5f070f7289e32dcd0a49abefe82736da71ead79943078e3b165910ab8378487aabf9616258d8c078f969f
-
SSDEEP
49152:cGUtTof95iMXSm3KRgVTe/zz9ABmRTH9SWR9cqpqHLqTC6:aqSBA0uWRd6
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral1/files/0x0008000000016ce8-2.dat family_neshta behavioral1/files/0x001700000000f7f7-16.dat family_neshta behavioral1/files/0x001400000001033a-15.dat family_neshta behavioral1/files/0x0007000000016d04-14.dat family_neshta behavioral1/files/0x0001000000010312-18.dat family_neshta behavioral1/files/0x0001000000010314-55.dat family_neshta behavioral1/memory/1048-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2136-168-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2512-256-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2328-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1436-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1780-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2632-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/620-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2180-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1928-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2764-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1048-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1732-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1960-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1192-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1756-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3060-264-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1696-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2088-255-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2552-248-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2688-247-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2736-240-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2544-239-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1640-232-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2300-231-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1500-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1692-223-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3032-216-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1324-215-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1260-208-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3004-207-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2204-199-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/620-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2972-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2220-184-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1792-183-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2180-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2128-175-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/916-167-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1732-160-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2892-159-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2264-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1516-143-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2392-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1756-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1612-128-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1192-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1620-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2588-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1472-87-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/760-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 64 IoCs
pid Process 2612 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 2732 svchost.com 2968 5BF572~1.EXE 2524 svchost.com 2904 5BF572~1.EXE 2684 svchost.com 2532 5BF572~1.EXE 2016 svchost.com 760 5BF572~1.EXE 1472 svchost.com 2868 5BF572~1.EXE 2588 svchost.com 2888 5BF572~1.EXE 1192 svchost.com 1620 5BF572~1.EXE 1756 svchost.com 1612 5BF572~1.EXE 1516 svchost.com 2392 5BF572~1.EXE 1048 svchost.com 2264 5BF572~1.EXE 1732 svchost.com 2892 5BF572~1.EXE 2136 svchost.com 916 5BF572~1.EXE 2180 svchost.com 2128 5BF572~1.EXE 2220 svchost.com 1792 5BF572~1.EXE 620 svchost.com 2972 5BF572~1.EXE 3008 svchost.com 2204 5BF572~1.EXE 1260 svchost.com 3004 5BF572~1.EXE 3032 svchost.com 1324 5BF572~1.EXE 1500 svchost.com 1692 5BF572~1.EXE 1640 svchost.com 2300 5BF572~1.EXE 2736 svchost.com 2544 5BF572~1.EXE 2552 svchost.com 2688 5BF572~1.EXE 2512 svchost.com 2088 5BF572~1.EXE 3060 svchost.com 1696 5BF572~1.EXE 1192 svchost.com 1756 5BF572~1.EXE 2636 svchost.com 1960 5BF572~1.EXE 1048 svchost.com 1732 5BF572~1.EXE 2764 svchost.com 1284 5BF572~1.EXE 2180 svchost.com 1928 5BF572~1.EXE 2632 svchost.com 620 5BF572~1.EXE 3008 svchost.com 1780 5BF572~1.EXE 2328 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 2732 svchost.com 2732 svchost.com 2524 svchost.com 2524 svchost.com 2684 svchost.com 2684 svchost.com 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 2016 svchost.com 2016 svchost.com 1472 svchost.com 1472 svchost.com 2588 svchost.com 2588 svchost.com 1192 svchost.com 1192 svchost.com 1756 svchost.com 1756 svchost.com 1516 svchost.com 1516 svchost.com 1048 svchost.com 1048 svchost.com 1732 svchost.com 1732 svchost.com 2136 svchost.com 2136 svchost.com 2180 svchost.com 2180 svchost.com 2220 svchost.com 2220 svchost.com 620 svchost.com 620 svchost.com 3008 svchost.com 3008 svchost.com 1260 svchost.com 1260 svchost.com 3032 svchost.com 3032 svchost.com 1500 svchost.com 1500 svchost.com 1640 svchost.com 1640 svchost.com 2736 svchost.com 2736 svchost.com 2552 svchost.com 2552 svchost.com 2512 svchost.com 2512 svchost.com 3060 svchost.com 3060 svchost.com 1192 svchost.com 1192 svchost.com 2636 svchost.com 2636 svchost.com 1048 svchost.com 1048 svchost.com 2764 svchost.com 2764 svchost.com 2180 svchost.com 2180 svchost.com 2632 svchost.com 2632 svchost.com 3008 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5BF572~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5BF572~1.EXE -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2612 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 30 PID 1956 wrote to memory of 2612 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 30 PID 1956 wrote to memory of 2612 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 30 PID 1956 wrote to memory of 2612 1956 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 30 PID 2612 wrote to memory of 2732 2612 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 138 PID 2612 wrote to memory of 2732 2612 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 138 PID 2612 wrote to memory of 2732 2612 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 138 PID 2612 wrote to memory of 2732 2612 5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe 138 PID 2732 wrote to memory of 2968 2732 svchost.com 221 PID 2732 wrote to memory of 2968 2732 svchost.com 221 PID 2732 wrote to memory of 2968 2732 svchost.com 221 PID 2732 wrote to memory of 2968 2732 svchost.com 221 PID 2968 wrote to memory of 2524 2968 5BF572~1.EXE 33 PID 2968 wrote to memory of 2524 2968 5BF572~1.EXE 33 PID 2968 wrote to memory of 2524 2968 5BF572~1.EXE 33 PID 2968 wrote to memory of 2524 2968 5BF572~1.EXE 33 PID 2524 wrote to memory of 2904 2524 svchost.com 34 PID 2524 wrote to memory of 2904 2524 svchost.com 34 PID 2524 wrote to memory of 2904 2524 svchost.com 34 PID 2524 wrote to memory of 2904 2524 svchost.com 34 PID 2904 wrote to memory of 2684 2904 5BF572~1.EXE 35 PID 2904 wrote to memory of 2684 2904 5BF572~1.EXE 35 PID 2904 wrote to memory of 2684 2904 5BF572~1.EXE 35 PID 2904 wrote to memory of 2684 2904 5BF572~1.EXE 35 PID 2684 wrote to memory of 2532 2684 svchost.com 36 PID 2684 wrote to memory of 2532 2684 svchost.com 36 PID 2684 wrote to memory of 2532 2684 svchost.com 36 PID 2684 wrote to memory of 2532 2684 svchost.com 36 PID 2532 wrote to memory of 2016 2532 5BF572~1.EXE 37 PID 2532 wrote to memory of 2016 2532 5BF572~1.EXE 37 PID 2532 wrote to memory of 2016 2532 5BF572~1.EXE 37 PID 2532 wrote to memory of 2016 2532 5BF572~1.EXE 37 PID 2016 wrote to memory of 760 2016 svchost.com 268 PID 2016 wrote to memory of 760 2016 svchost.com 268 PID 2016 wrote to memory of 760 2016 svchost.com 268 PID 2016 wrote to memory of 760 2016 svchost.com 268 PID 760 wrote to memory of 1472 760 5BF572~1.EXE 39 PID 760 wrote to memory of 1472 760 5BF572~1.EXE 39 PID 760 wrote to memory of 1472 760 5BF572~1.EXE 39 PID 760 wrote to memory of 1472 760 5BF572~1.EXE 39 PID 1472 wrote to memory of 2868 1472 svchost.com 40 PID 1472 wrote to memory of 2868 1472 svchost.com 40 PID 1472 wrote to memory of 2868 1472 svchost.com 40 PID 1472 wrote to memory of 2868 1472 svchost.com 40 PID 2868 wrote to memory of 2588 2868 5BF572~1.EXE 41 PID 2868 wrote to memory of 2588 2868 5BF572~1.EXE 41 PID 2868 wrote to memory of 2588 2868 5BF572~1.EXE 41 PID 2868 wrote to memory of 2588 2868 5BF572~1.EXE 41 PID 2588 wrote to memory of 2888 2588 svchost.com 270 PID 2588 wrote to memory of 2888 2588 svchost.com 270 PID 2588 wrote to memory of 2888 2588 svchost.com 270 PID 2588 wrote to memory of 2888 2588 svchost.com 270 PID 2888 wrote to memory of 1192 2888 5BF572~1.EXE 79 PID 2888 wrote to memory of 1192 2888 5BF572~1.EXE 79 PID 2888 wrote to memory of 1192 2888 5BF572~1.EXE 79 PID 2888 wrote to memory of 1192 2888 5BF572~1.EXE 79 PID 1192 wrote to memory of 1620 1192 svchost.com 44 PID 1192 wrote to memory of 1620 1192 svchost.com 44 PID 1192 wrote to memory of 1620 1192 svchost.com 44 PID 1192 wrote to memory of 1620 1192 svchost.com 44 PID 1620 wrote to memory of 1756 1620 5BF572~1.EXE 275 PID 1620 wrote to memory of 1756 1620 5BF572~1.EXE 275 PID 1620 wrote to memory of 1756 1620 5BF572~1.EXE 275 PID 1620 wrote to memory of 1756 1620 5BF572~1.EXE 275
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe"C:\Users\Admin\AppData\Local\Temp\5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5bf5726e36dbfb948b0ab535f665722688de3a1aae8a35f6931a06cf06cbfb85.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE18⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE24⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE26⤵
- Executes dropped EXE
PID:916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE30⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE32⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE38⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE40⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE42⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE44⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE46⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE48⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE52⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE54⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE56⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE58⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"59⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"61⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE62⤵
- Executes dropped EXE
PID:620 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE64⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"65⤵
- Executes dropped EXE
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE66⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"67⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE68⤵PID:1764
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"69⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE70⤵PID:2744
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"71⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE72⤵PID:2960
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"73⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE74⤵
- Drops file in Windows directory
PID:1068 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"75⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE76⤵PID:1576
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"77⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE78⤵
- Drops file in Windows directory
PID:1064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"79⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE80⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"81⤵
- Drops file in Windows directory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE82⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"83⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE84⤵PID:1392
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"85⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE86⤵PID:1672
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"87⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE88⤵PID:2736
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"89⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE90⤵PID:1980
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"91⤵PID:308
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE92⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"93⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE94⤵
- Drops file in Windows directory
PID:2164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"95⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE96⤵PID:1632
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"97⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE98⤵PID:1952
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"99⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE100⤵PID:2520
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"101⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE102⤵PID:1700
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"103⤵
- Drops file in Windows directory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE104⤵PID:2652
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"105⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE106⤵PID:2764
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"107⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE108⤵PID:1600
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"109⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE110⤵PID:2732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"111⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE112⤵PID:2456
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"113⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE114⤵PID:2588
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"115⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE116⤵PID:2784
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"117⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE118⤵PID:748
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"119⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE120⤵PID:2492
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5BF572~1.EXE"121⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-