Analysis
-
max time kernel
1800s -
max time network
1804s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 15:34
General
-
Target
Server.exe
-
Size
36KB
-
MD5
7d7c8113cb04320f4dcf35a3c0249c7f
-
SHA1
46c5ab4281ce97e99b2b77166f481d0e8aee08bb
-
SHA256
593c6b4b7701ca3bd566f8871686f8108293971125305e71f7679751faa7af83
-
SHA512
0dbb66b036e0410960a3cd698aaebbd0283713ca4ac41c8eb67484bfaf8168b46fd3581997da817cbcce1e762d4519bbf6e29ff053be222e096d1c93c263dccf
Malware Config
Extracted
njrat
im523
HacKed
4.tcp.eu.ngrok.io:17260
4c319362419eb0d3496d957c6a5b25af
-
reg_key
4c319362419eb0d3496d957c6a5b25af
-
splitter
|'|'|
Signatures
-
Detect Neshta Payload 34 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe family_neshta C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe family_neshta \Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe family_neshta C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe family_neshta C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE family_neshta \PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE family_neshta \PROGRA~2\MICROS~1\Office14\XLICONS.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
tmp603C.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp603C.tmp.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 6 IoCs
Processes:
Fisting.exetmp6E5.tmp.exetmpFBAF.tmp.exetmp603C.tmp.exetmp603C.tmp.exesvchost.compid process 1632 Fisting.exe 1556 tmp6E5.tmp.exe 360 tmpFBAF.tmp.exe 364 tmp603C.tmp.exe 1920 tmp603C.tmp.exe 1136 svchost.com -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Fisting.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c319362419eb0d3496d957c6a5b25af.exe Fisting.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c319362419eb0d3496d957c6a5b25af.exe Fisting.exe -
Loads dropped DLL 12 IoCs
Processes:
Fisting.exetmp603C.tmp.exesvchost.compid process 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 364 tmp603C.tmp.exe 364 tmp603C.tmp.exe 364 tmp603C.tmp.exe 1136 svchost.com 364 tmp603C.tmp.exe 364 tmp603C.tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Fisting.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c319362419eb0d3496d957c6a5b25af = "\"C:\\Windows\\Fisting.exe\" .." Fisting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c319362419eb0d3496d957c6a5b25af = "\"C:\\Windows\\Fisting.exe\" .." Fisting.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Fisting.exedescription ioc process File opened (read-only) \??\D: Fisting.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Fisting.exedescription ioc process File created C:\autorun.inf Fisting.exe File opened for modification C:\autorun.inf Fisting.exe File created D:\autorun.inf Fisting.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp603C.tmp.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE tmp603C.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe tmp603C.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE svchost.com -
Drops file in Windows directory 6 IoCs
Processes:
Server.exeFisting.exetmp603C.tmp.exesvchost.comdescription ioc process File created C:\Windows\Fisting.exe Server.exe File opened for modification C:\Windows\Fisting.exe Server.exe File opened for modification C:\Windows\Fisting.exe Fisting.exe File opened for modification C:\Windows\svchost.com tmp603C.tmp.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
tmp603C.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp603C.tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fisting.exepid process 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe 1632 Fisting.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Fisting.exepid process 1632 Fisting.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fisting.exetaskmgr.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: SeDebugPrivilege 1928 taskmgr.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1964 AUDIODG.EXE Token: 33 1964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1964 AUDIODG.EXE Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe Token: 33 1632 Fisting.exe Token: SeIncBasePriorityPrivilege 1632 Fisting.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
taskmgr.exepid process 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
taskmgr.exepid process 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe 1928 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmpFBAF.tmp.exepid process 360 tmpFBAF.tmp.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Server.exeFisting.exetmp603C.tmp.exetmp603C.tmp.exeWScript.exesvchost.comdescription pid process target process PID 1516 wrote to memory of 1632 1516 Server.exe Fisting.exe PID 1516 wrote to memory of 1632 1516 Server.exe Fisting.exe PID 1516 wrote to memory of 1632 1516 Server.exe Fisting.exe PID 1516 wrote to memory of 1632 1516 Server.exe Fisting.exe PID 1632 wrote to memory of 1536 1632 Fisting.exe netsh.exe PID 1632 wrote to memory of 1536 1632 Fisting.exe netsh.exe PID 1632 wrote to memory of 1536 1632 Fisting.exe netsh.exe PID 1632 wrote to memory of 1536 1632 Fisting.exe netsh.exe PID 1632 wrote to memory of 1556 1632 Fisting.exe tmp6E5.tmp.exe PID 1632 wrote to memory of 1556 1632 Fisting.exe tmp6E5.tmp.exe PID 1632 wrote to memory of 1556 1632 Fisting.exe tmp6E5.tmp.exe PID 1632 wrote to memory of 1556 1632 Fisting.exe tmp6E5.tmp.exe PID 1632 wrote to memory of 360 1632 Fisting.exe tmpFBAF.tmp.exe PID 1632 wrote to memory of 360 1632 Fisting.exe tmpFBAF.tmp.exe PID 1632 wrote to memory of 360 1632 Fisting.exe tmpFBAF.tmp.exe PID 1632 wrote to memory of 360 1632 Fisting.exe tmpFBAF.tmp.exe PID 1632 wrote to memory of 840 1632 Fisting.exe cmd.exe PID 1632 wrote to memory of 840 1632 Fisting.exe cmd.exe PID 1632 wrote to memory of 840 1632 Fisting.exe cmd.exe PID 1632 wrote to memory of 840 1632 Fisting.exe cmd.exe PID 1632 wrote to memory of 364 1632 Fisting.exe tmp603C.tmp.exe PID 1632 wrote to memory of 364 1632 Fisting.exe tmp603C.tmp.exe PID 1632 wrote to memory of 364 1632 Fisting.exe tmp603C.tmp.exe PID 1632 wrote to memory of 364 1632 Fisting.exe tmp603C.tmp.exe PID 364 wrote to memory of 1920 364 tmp603C.tmp.exe tmp603C.tmp.exe PID 364 wrote to memory of 1920 364 tmp603C.tmp.exe tmp603C.tmp.exe PID 364 wrote to memory of 1920 364 tmp603C.tmp.exe tmp603C.tmp.exe PID 364 wrote to memory of 1920 364 tmp603C.tmp.exe tmp603C.tmp.exe PID 1920 wrote to memory of 2032 1920 tmp603C.tmp.exe WScript.exe PID 1920 wrote to memory of 2032 1920 tmp603C.tmp.exe WScript.exe PID 1920 wrote to memory of 2032 1920 tmp603C.tmp.exe WScript.exe PID 1920 wrote to memory of 2032 1920 tmp603C.tmp.exe WScript.exe PID 2032 wrote to memory of 1136 2032 WScript.exe svchost.com PID 2032 wrote to memory of 1136 2032 WScript.exe svchost.com PID 2032 wrote to memory of 1136 2032 WScript.exe svchost.com PID 2032 wrote to memory of 1136 2032 WScript.exe svchost.com PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE PID 1136 wrote to memory of 456 1136 svchost.com RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fisting.exe"C:\Windows\Fisting.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Fisting.exe" "Fisting.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp6E5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6E5.tmp.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpFBAF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFBAF.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp603C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp603C.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters7⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEFilesize
285KB
MD5831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEFilesize
313KB
MD58c4f4eb73490ca2445d8577cf4bb3c81
SHA10f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA25685f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA51265453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEFilesize
569KB
MD5eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exeFilesize
381KB
MD53ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeFilesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exeFilesize
414KB
MD56e0d99426707169ce01f273709a1e912
SHA1414bc3073049cbb7677897b99059e6c5e42a2331
SHA256fe778f8c1f6f8e044a89dd7da498c8dfec51deb520eb9c187f40c0e3be5c9bab
SHA5125866e1eccc9dde7d8c55949b6b18682ec4b0266c3ac70620e76cb102fd0effbb7bef475b9ef3e2d0a504362116887bd069ed5cede9489685df5619dc9b25d890
-
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEFilesize
140KB
MD5e584c29c854081c78a366fbcc6f7f84c
SHA132b7e552e5916b43d57d7b088c543b77f1067338
SHA256b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450
SHA512c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c
-
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXEFilesize
571KB
MD5d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA5127167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEFilesize
270KB
MD53a928dbfdd154534651434bc1c574259
SHA18619df5eaaa8ceab6418136789d2f172ce0d2a83
SHA25600ca35c94353f0c583bc4423a7623631673400a1c3c6678cf565fa202769f148
SHA512ce942aca8a23de012b8adfda84a630c1e8fc2431ace86e953aa2a8966d7e89d7631b7aed8a0810387c1d4413a1ea1b519167c57287071b05e09c5dec1efae826
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEFilesize
138KB
MD5950000c930454e0c30644f13ed60e9c3
SHA15f6b06e8a02e1390e7499722b277135b4950723d
SHA25609786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2
SHA51222e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEFilesize
217KB
MD5ad0efa1df844814c2e8ddc188cb0e3b5
SHA1b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab
SHA256c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a
SHA512532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEFilesize
404KB
MD5ea78ed9e7eb4cc64544163627476fe4b
SHA167aed91a59742a36c0ff635b15c692cde3eb3a9d
SHA256d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562
SHA512eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f
-
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEFilesize
782KB
MD559783c7930a5868eb59beaa1f4d04d0c
SHA10e0a32b30b8a995ee6eccaae7e01542eb35f4f13
SHA256cb3c161762a27fb2655cc033e3a117253fdbc5c7c41a2658a9618a575f708188
SHA512cc107ca256e4c46ab880a77e2e111fbac95143a941a670a6a056fabebdd7025aecb9e196f153c819a985f32401161ff9604de7a72d9527ba7ae9dab0e4bf2d13
-
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXEFilesize
1.4MB
MD5328a15382885fe27a2fbe65a6b6c8b82
SHA1032fde6f0898393387ac4142b7f540de0d586555
SHA2564f78a7e0d8ab78d7e76a00d81f4af2d634e7b48c1c82cb44539a0178f50add86
SHA5128466fb50a185bda1fdc35126748a81a54d9a804f7023531dd205a18e157931fcbfcf33e006ad1e7cab5288624b8816f54758fb74cc5190f263d208e32a694216
-
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXEFilesize
1.5MB
MD593766da984541820057ae0ab3d578928
SHA1ea19a657c6b1b5eb5accc09c45dcf04f063151c3
SHA256ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514
SHA512e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD5cc5020b193486a88f373bedca78e24c8
SHA161744a1675ce10ddd196129b49331d517d7da884
SHA256e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD524179b4581907abfef8a55ab41c97999
SHA1e4de417476f43da4405f4340ebf6044f6b094337
SHA256a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA5126fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD506366e48936df8d5556435c9820e9990
SHA10e3ed1da26a0c96f549720684e87352f1b58ef45
SHA256cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612
SHA512bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD5f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD53e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp603C.tmp.exeFilesize
938KB
MD5abde72bbbe3a4e9aefac2613cc1fb1d8
SHA137e233800c07ae09de6f08b0beae552bb3cab69c
SHA256d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5
SHA51264c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595
-
C:\Users\Admin\AppData\Local\Temp\4.vbsFilesize
462B
MD5593e1c1aac6eb52f5a45481a32a8a94c
SHA1d9f9f058a22e2c1708eb46c494b705f102d65996
SHA256477a5b41a9daa3035d3a039990fa6cbab15db95da9a6de3c42874331b642b18b
SHA512fe8c43148cda5cad61bc4749c1384838ffde2599381da69b0b958c10d2f97351696e70124a1d38a121593e658f44b5ea25272a4bf6dd27e1a4cd1646207e0d0d
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpFilesize
8B
MD5699a5196b879546bfa4fdd4015221cf2
SHA1ee6474cf747e9338618597a214efea8e3ca2b59d
SHA25687fe1da21d70dd8d83269bb5239d1f71a2d6e87cb2e168de06d7d4f76624fa77
SHA5124319f241a23b7ee37b56949c36bf3071b7f273bc13173cbd963cefc144ce2bae884abb2a369f1015dff4d06771951a6115addb4479c5daff8fcb1e78fbbc69a6
-
C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exeFilesize
978KB
MD5a23a62f40b15ad76b917e08876aab844
SHA16c92d787df2c231ffdea30b5c0379271c6bd1984
SHA2565578c49d0e0285fe28b324e160d96e44c96ef2f996392ef3191747d667d302d5
SHA512ee86989532ca06925ffd7ccc7187647f8b575e5cae1231a4df9bb99522e32d70e7de3989b75989db7796a5508ac672a5dd6b75e7007973c0a2401b7d95129fc5
-
C:\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exeFilesize
978KB
MD5a23a62f40b15ad76b917e08876aab844
SHA16c92d787df2c231ffdea30b5c0379271c6bd1984
SHA2565578c49d0e0285fe28b324e160d96e44c96ef2f996392ef3191747d667d302d5
SHA512ee86989532ca06925ffd7ccc7187647f8b575e5cae1231a4df9bb99522e32d70e7de3989b75989db7796a5508ac672a5dd6b75e7007973c0a2401b7d95129fc5
-
C:\Users\Admin\AppData\Local\Temp\tmp6E5.tmp.exeFilesize
14KB
MD500dd057add024c605c0414a985d31c32
SHA11d00812873ff86b33120923b705c872e13efd5cc
SHA2562665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af
SHA5123eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226
-
C:\Users\Admin\AppData\Local\Temp\tmpFBAF.tmp.exeFilesize
20KB
MD54b3bf38438172474c9b3e3096d572282
SHA1e127f1217d0fd39ee1c6f8d40aa6a3fb480a4845
SHA256ae23c8ef1b6f0106c344867ca48101e1c94834e4e2b667879eb99aef0e4cbcf1
SHA51237f31c756ecaf70fb3a8a82ed7bb5e6779534e4003c6c30d93efcc33fd3d2d5c9085c0741ce6e63249029b8b7923ca490507ae881afa9e1d975af781485c1d2b
-
C:\Windows\Fisting.exeFilesize
36KB
MD57d7c8113cb04320f4dcf35a3c0249c7f
SHA146c5ab4281ce97e99b2b77166f481d0e8aee08bb
SHA256593c6b4b7701ca3bd566f8871686f8108293971125305e71f7679751faa7af83
SHA5120dbb66b036e0410960a3cd698aaebbd0283713ca4ac41c8eb67484bfaf8168b46fd3581997da817cbcce1e762d4519bbf6e29ff053be222e096d1c93c263dccf
-
C:\Windows\Fisting.exeFilesize
36KB
MD57d7c8113cb04320f4dcf35a3c0249c7f
SHA146c5ab4281ce97e99b2b77166f481d0e8aee08bb
SHA256593c6b4b7701ca3bd566f8871686f8108293971125305e71f7679751faa7af83
SHA5120dbb66b036e0410960a3cd698aaebbd0283713ca4ac41c8eb67484bfaf8168b46fd3581997da817cbcce1e762d4519bbf6e29ff053be222e096d1c93c263dccf
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXEFilesize
571KB
MD5d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA5127167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf
-
\PROGRA~2\MICROS~1\Office14\XLICONS.EXEFilesize
1.5MB
MD593766da984541820057ae0ab3d578928
SHA1ea19a657c6b1b5eb5accc09c45dcf04f063151c3
SHA256ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514
SHA512e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719
-
\Users\Admin\AppData\Local\Temp\3582-490\tmp603C.tmp.exeFilesize
938KB
MD5abde72bbbe3a4e9aefac2613cc1fb1d8
SHA137e233800c07ae09de6f08b0beae552bb3cab69c
SHA256d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5
SHA51264c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595
-
\Users\Admin\AppData\Local\Temp\3582-490\tmp603C.tmp.exeFilesize
938KB
MD5abde72bbbe3a4e9aefac2613cc1fb1d8
SHA137e233800c07ae09de6f08b0beae552bb3cab69c
SHA256d3c019f06f8e399fb76c9e778bbdf97f51e00cf61f0bc04c6811fc03f9fd25b5
SHA51264c849e91ec0042de899d033d8e704708d4546bf46283545c4e88d36d5e1c453291ac2e128b27ba62014702b699e55a0ef47bd147747bdb0bd4f23006d957595
-
\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exeFilesize
978KB
MD5a23a62f40b15ad76b917e08876aab844
SHA16c92d787df2c231ffdea30b5c0379271c6bd1984
SHA2565578c49d0e0285fe28b324e160d96e44c96ef2f996392ef3191747d667d302d5
SHA512ee86989532ca06925ffd7ccc7187647f8b575e5cae1231a4df9bb99522e32d70e7de3989b75989db7796a5508ac672a5dd6b75e7007973c0a2401b7d95129fc5
-
\Users\Admin\AppData\Local\Temp\tmp603C.tmp.exeFilesize
978KB
MD5a23a62f40b15ad76b917e08876aab844
SHA16c92d787df2c231ffdea30b5c0379271c6bd1984
SHA2565578c49d0e0285fe28b324e160d96e44c96ef2f996392ef3191747d667d302d5
SHA512ee86989532ca06925ffd7ccc7187647f8b575e5cae1231a4df9bb99522e32d70e7de3989b75989db7796a5508ac672a5dd6b75e7007973c0a2401b7d95129fc5
-
\Users\Admin\AppData\Local\Temp\tmp6E5.tmp.exeFilesize
14KB
MD500dd057add024c605c0414a985d31c32
SHA11d00812873ff86b33120923b705c872e13efd5cc
SHA2562665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af
SHA5123eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226
-
\Users\Admin\AppData\Local\Temp\tmp6E5.tmp.exeFilesize
14KB
MD500dd057add024c605c0414a985d31c32
SHA11d00812873ff86b33120923b705c872e13efd5cc
SHA2562665f52d47ee7dfbffabcf58c0da31e311d3efa97442e85944a61bac8629e2af
SHA5123eb9439c75ac9b32a121ee959aa94f11a5c73d26aa24d76bf0af149a045ad1368711797ef949ba834cb6da970005b5e829bc96fba5d841a2256022b973000226
-
\Users\Admin\AppData\Local\Temp\tmpFBAF.tmp.exeFilesize
20KB
MD54b3bf38438172474c9b3e3096d572282
SHA1e127f1217d0fd39ee1c6f8d40aa6a3fb480a4845
SHA256ae23c8ef1b6f0106c344867ca48101e1c94834e4e2b667879eb99aef0e4cbcf1
SHA51237f31c756ecaf70fb3a8a82ed7bb5e6779534e4003c6c30d93efcc33fd3d2d5c9085c0741ce6e63249029b8b7923ca490507ae881afa9e1d975af781485c1d2b
-
\Users\Admin\AppData\Local\Temp\tmpFBAF.tmp.exeFilesize
20KB
MD54b3bf38438172474c9b3e3096d572282
SHA1e127f1217d0fd39ee1c6f8d40aa6a3fb480a4845
SHA256ae23c8ef1b6f0106c344867ca48101e1c94834e4e2b667879eb99aef0e4cbcf1
SHA51237f31c756ecaf70fb3a8a82ed7bb5e6779534e4003c6c30d93efcc33fd3d2d5c9085c0741ce6e63249029b8b7923ca490507ae881afa9e1d975af781485c1d2b
-
memory/360-78-0x0000000000000000-mapping.dmp
-
memory/364-85-0x0000000000000000-mapping.dmp
-
memory/456-101-0x0000000000000000-mapping.dmp
-
memory/840-82-0x0000000000000000-mapping.dmp
-
memory/1136-98-0x0000000000000000-mapping.dmp
-
memory/1516-55-0x0000000074650000-0x0000000074BFB000-memory.dmpFilesize
5.7MB
-
memory/1516-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1516-60-0x0000000074650000-0x0000000074BFB000-memory.dmpFilesize
5.7MB
-
memory/1536-62-0x0000000000000000-mapping.dmp
-
memory/1556-74-0x0000000000000000-mapping.dmp
-
memory/1632-61-0x0000000074650000-0x0000000074BFB000-memory.dmpFilesize
5.7MB
-
memory/1632-64-0x0000000074650000-0x0000000074BFB000-memory.dmpFilesize
5.7MB
-
memory/1632-68-0x0000000000B06000-0x0000000000B17000-memory.dmpFilesize
68KB
-
memory/1632-56-0x0000000000000000-mapping.dmp
-
memory/1632-71-0x0000000000B06000-0x0000000000B17000-memory.dmpFilesize
68KB
-
memory/1920-91-0x0000000000000000-mapping.dmp
-
memory/1928-65-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmpFilesize
8KB
-
memory/1928-66-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1928-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1928-69-0x0000000001D80000-0x0000000001D90000-memory.dmpFilesize
64KB
-
memory/1928-70-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2032-94-0x0000000000000000-mapping.dmp