Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 22:51
Behavioral task
behavioral1
Sample
hello.exe
Resource
win7-20220414-en
General
-
Target
hello.exe
-
Size
37KB
-
MD5
f6578c4f484063121bb63109b543fb95
-
SHA1
baae4772f958a85f2420a7c112f3b0ee02f962ce
-
SHA256
c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
-
SHA512
882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c
Malware Config
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Signatures
-
Detect Neshta Payload 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe family_neshta \Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe family_neshta C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe family_neshta C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
tmpA8DE.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmpA8DE.tmp.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 13 IoCs
Processes:
tmp679A.tmp.exetmp8087.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exeDesktopLayer.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exeDesktopLayer.exesvchost.comTMP4E9~1.EXEpid process 296 tmp679A.tmp.exe 916 tmp8087.tmp.exe 1092 dllhost.exe 1712 tmpA8DE.tmp.exe 328 tmpA8DE.tmp.exe 1496 tmpA8DE.tmpSrv.exe 1168 DesktopLayer.exe 2112 svchost.com 2144 TMP1B9~1.EXE 2168 TMP1B9~1Srv.exe 2196 DesktopLayer.exe 2424 svchost.com 2452 TMP4E9~1.EXE -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1656 netsh.exe 1892 netsh.exe 1628 netsh.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe upx C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe upx C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral1/memory/1168-105-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1496-101-0x0000000000400000-0x000000000042E000-memory.dmp upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE upx C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE upx \Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE upx \Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE upx \Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe upx C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe upx behavioral1/memory/2168-132-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral1/memory/2144-138-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE upx \Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE upx \Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE upx C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE upx -
Drops startup file 4 IoCs
Processes:
hello.exedllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe -
Loads dropped DLL 17 IoCs
Processes:
hello.exetmp679A.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exesvchost.compid process 1080 hello.exe 1080 hello.exe 296 tmp679A.tmp.exe 1092 dllhost.exe 1092 dllhost.exe 1712 tmpA8DE.tmp.exe 1712 tmpA8DE.tmp.exe 328 tmpA8DE.tmp.exe 1496 tmpA8DE.tmpSrv.exe 1712 tmpA8DE.tmp.exe 1712 tmpA8DE.tmp.exe 2112 svchost.com 2112 svchost.com 2144 TMP1B9~1.EXE 2168 TMP1B9~1Srv.exe 2424 svchost.com 2424 svchost.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
tmp8087.tmp.exedllhost.exehello.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8087.tmp.exe\" .." tmp8087.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8087.tmp.exe\" .." tmp8087.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
dllhost.exedescription ioc process File opened for modification C:\autorun.inf dllhost.exe File created D:\autorun.inf dllhost.exe File created C:\autorun.inf dllhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmpA8DE.tmp.exeTMP1B9~1Srv.exedescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe tmpA8DE.tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe TMP1B9~1Srv.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MIE74D~1\DESKTO~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe tmpA8DE.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE tmpA8DE.tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\px1C96.tmp TMP1B9~1Srv.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE tmpA8DE.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE tmpA8DE.tmp.exe -
Drops file in Windows directory 3 IoCs
Processes:
tmpA8DE.tmp.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com tmpA8DE.tmp.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D46EB761-EDD7-11EC-9824-4224C87335A1} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 1 IoCs
Processes:
tmpA8DE.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmpA8DE.tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhost.exepid process 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe 1092 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 1092 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
hello.exetmp8087.tmp.exedllhost.exedescription pid process Token: SeDebugPrivilege 1080 hello.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: SeDebugPrivilege 916 tmp8087.tmp.exe Token: SeDebugPrivilege 1092 dllhost.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1080 hello.exe Token: SeIncBasePriorityPrivilege 1080 hello.exe Token: 33 916 tmp8087.tmp.exe Token: SeIncBasePriorityPrivilege 916 tmp8087.tmp.exe Token: 33 1092 dllhost.exe Token: SeIncBasePriorityPrivilege 1092 dllhost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 672 iexplore.exe 672 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 672 iexplore.exe 672 iexplore.exe 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 672 iexplore.exe 672 iexplore.exe 2256 IEXPLORE.EXE 2256 IEXPLORE.EXE 2256 IEXPLORE.EXE 2256 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
hello.exetmp679A.tmp.exetmp8087.tmp.exedllhost.exetmpA8DE.tmp.exetmpA8DE.tmp.exetmpA8DE.tmpSrv.exeDesktopLayer.exeiexplore.exesvchost.comTMP1B9~1.EXETMP1B9~1Srv.exedescription pid process target process PID 1080 wrote to memory of 1656 1080 hello.exe netsh.exe PID 1080 wrote to memory of 1656 1080 hello.exe netsh.exe PID 1080 wrote to memory of 1656 1080 hello.exe netsh.exe PID 1080 wrote to memory of 1656 1080 hello.exe netsh.exe PID 1080 wrote to memory of 296 1080 hello.exe tmp679A.tmp.exe PID 1080 wrote to memory of 296 1080 hello.exe tmp679A.tmp.exe PID 1080 wrote to memory of 296 1080 hello.exe tmp679A.tmp.exe PID 1080 wrote to memory of 296 1080 hello.exe tmp679A.tmp.exe PID 1080 wrote to memory of 916 1080 hello.exe tmp8087.tmp.exe PID 1080 wrote to memory of 916 1080 hello.exe tmp8087.tmp.exe PID 1080 wrote to memory of 916 1080 hello.exe tmp8087.tmp.exe PID 1080 wrote to memory of 916 1080 hello.exe tmp8087.tmp.exe PID 296 wrote to memory of 1092 296 tmp679A.tmp.exe dllhost.exe PID 296 wrote to memory of 1092 296 tmp679A.tmp.exe dllhost.exe PID 296 wrote to memory of 1092 296 tmp679A.tmp.exe dllhost.exe PID 296 wrote to memory of 1092 296 tmp679A.tmp.exe dllhost.exe PID 916 wrote to memory of 1892 916 tmp8087.tmp.exe netsh.exe PID 916 wrote to memory of 1892 916 tmp8087.tmp.exe netsh.exe PID 916 wrote to memory of 1892 916 tmp8087.tmp.exe netsh.exe PID 916 wrote to memory of 1892 916 tmp8087.tmp.exe netsh.exe PID 1092 wrote to memory of 1628 1092 dllhost.exe netsh.exe PID 1092 wrote to memory of 1628 1092 dllhost.exe netsh.exe PID 1092 wrote to memory of 1628 1092 dllhost.exe netsh.exe PID 1092 wrote to memory of 1628 1092 dllhost.exe netsh.exe PID 1092 wrote to memory of 1712 1092 dllhost.exe tmpA8DE.tmp.exe PID 1092 wrote to memory of 1712 1092 dllhost.exe tmpA8DE.tmp.exe PID 1092 wrote to memory of 1712 1092 dllhost.exe tmpA8DE.tmp.exe PID 1092 wrote to memory of 1712 1092 dllhost.exe tmpA8DE.tmp.exe PID 1712 wrote to memory of 328 1712 tmpA8DE.tmp.exe tmpA8DE.tmp.exe PID 1712 wrote to memory of 328 1712 tmpA8DE.tmp.exe tmpA8DE.tmp.exe PID 1712 wrote to memory of 328 1712 tmpA8DE.tmp.exe tmpA8DE.tmp.exe PID 1712 wrote to memory of 328 1712 tmpA8DE.tmp.exe tmpA8DE.tmp.exe PID 328 wrote to memory of 1496 328 tmpA8DE.tmp.exe tmpA8DE.tmpSrv.exe PID 328 wrote to memory of 1496 328 tmpA8DE.tmp.exe tmpA8DE.tmpSrv.exe PID 328 wrote to memory of 1496 328 tmpA8DE.tmp.exe tmpA8DE.tmpSrv.exe PID 328 wrote to memory of 1496 328 tmpA8DE.tmp.exe tmpA8DE.tmpSrv.exe PID 1496 wrote to memory of 1168 1496 tmpA8DE.tmpSrv.exe DesktopLayer.exe PID 1496 wrote to memory of 1168 1496 tmpA8DE.tmpSrv.exe DesktopLayer.exe PID 1496 wrote to memory of 1168 1496 tmpA8DE.tmpSrv.exe DesktopLayer.exe PID 1496 wrote to memory of 1168 1496 tmpA8DE.tmpSrv.exe DesktopLayer.exe PID 1168 wrote to memory of 672 1168 DesktopLayer.exe iexplore.exe PID 1168 wrote to memory of 672 1168 DesktopLayer.exe iexplore.exe PID 1168 wrote to memory of 672 1168 DesktopLayer.exe iexplore.exe PID 1168 wrote to memory of 672 1168 DesktopLayer.exe iexplore.exe PID 672 wrote to memory of 1964 672 iexplore.exe IEXPLORE.EXE PID 672 wrote to memory of 1964 672 iexplore.exe IEXPLORE.EXE PID 672 wrote to memory of 1964 672 iexplore.exe IEXPLORE.EXE PID 672 wrote to memory of 1964 672 iexplore.exe IEXPLORE.EXE PID 1092 wrote to memory of 2112 1092 dllhost.exe svchost.com PID 1092 wrote to memory of 2112 1092 dllhost.exe svchost.com PID 1092 wrote to memory of 2112 1092 dllhost.exe svchost.com PID 1092 wrote to memory of 2112 1092 dllhost.exe svchost.com PID 2112 wrote to memory of 2144 2112 svchost.com TMP1B9~1.EXE PID 2112 wrote to memory of 2144 2112 svchost.com TMP1B9~1.EXE PID 2112 wrote to memory of 2144 2112 svchost.com TMP1B9~1.EXE PID 2112 wrote to memory of 2144 2112 svchost.com TMP1B9~1.EXE PID 2144 wrote to memory of 2168 2144 TMP1B9~1.EXE TMP1B9~1Srv.exe PID 2144 wrote to memory of 2168 2144 TMP1B9~1.EXE TMP1B9~1Srv.exe PID 2144 wrote to memory of 2168 2144 TMP1B9~1.EXE TMP1B9~1Srv.exe PID 2144 wrote to memory of 2168 2144 TMP1B9~1.EXE TMP1B9~1Srv.exe PID 2168 wrote to memory of 2196 2168 TMP1B9~1Srv.exe DesktopLayer.exe PID 2168 wrote to memory of 2196 2168 TMP1B9~1Srv.exe DesktopLayer.exe PID 2168 wrote to memory of 2196 2168 TMP1B9~1Srv.exe DesktopLayer.exe PID 2168 wrote to memory of 2196 2168 TMP1B9~1Srv.exe DesktopLayer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hello.exe"C:\Users\Admin\AppData\Local\Temp\hello.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exe"4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exeC:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:29⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:209934 /prefetch:29⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXEC:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exeC:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"7⤵
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXEC:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXE5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exe" "tmp8087.tmp.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exeFilesize
112KB
MD59a1b04a62283ab9848be4331ba124d0c
SHA1f83fdad90c24e41987b44a022db3856c9ff22368
SHA2563c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
C:\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Windows\directx.sysFilesize
48B
MD5f9e40b77a07b0d27e13ae001b226881b
SHA19531152ad0b25f5371be4b65bb748dbf6f41a367
SHA256c95ef1d16ca45b6222c64b3e26ec8b982a650da8ff2e028a32dc684d8de51ace
SHA512107b93147333536c3a3490d6f17fa22aaade7dceef7c5c99f995c893fee71f0096860f0ad24607e61dca29f4719dbbaa38f6a8e3e8195a605826e482aa203515
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exeFilesize
112KB
MD59a1b04a62283ab9848be4331ba124d0c
SHA1f83fdad90c24e41987b44a022db3856c9ff22368
SHA2563c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc
-
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmp.exeFilesize
112KB
MD59a1b04a62283ab9848be4331ba124d0c
SHA1f83fdad90c24e41987b44a022db3856c9ff22368
SHA2563c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc
-
\Users\Admin\AppData\Local\Temp\3582-490\tmpA8DE.tmpSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
\Users\Admin\AppData\Local\Temp\TMP1B9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
\Users\Admin\AppData\Local\Temp\TMP1B9~1Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
\Users\Admin\AppData\Local\Temp\TMP4E9~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
\Users\Admin\AppData\Local\Temp\tmp679A.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
\Users\Admin\AppData\Local\Temp\tmp8087.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
\Users\Admin\AppData\Local\Temp\tmpA8DE.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
memory/296-75-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/296-60-0x0000000000000000-mapping.dmp
-
memory/296-64-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/328-109-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/328-110-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/328-92-0x0000000000000000-mapping.dmp
-
memory/328-114-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/916-76-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/916-66-0x0000000000000000-mapping.dmp
-
memory/916-82-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1080-55-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1080-58-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1080-54-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1092-77-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1092-71-0x0000000000000000-mapping.dmp
-
memory/1092-83-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/1168-100-0x0000000000000000-mapping.dmp
-
memory/1168-105-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1496-101-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1496-95-0x0000000000000000-mapping.dmp
-
memory/1628-80-0x0000000000000000-mapping.dmp
-
memory/1656-56-0x0000000000000000-mapping.dmp
-
memory/1712-107-0x0000000000310000-0x000000000032D000-memory.dmpFilesize
116KB
-
memory/1712-115-0x0000000000310000-0x000000000033E000-memory.dmpFilesize
184KB
-
memory/1712-112-0x0000000000310000-0x000000000032D000-memory.dmpFilesize
116KB
-
memory/1712-86-0x0000000000000000-mapping.dmp
-
memory/1712-108-0x0000000000310000-0x000000000032D000-memory.dmpFilesize
116KB
-
memory/1712-113-0x0000000000310000-0x000000000032D000-memory.dmpFilesize
116KB
-
memory/1892-78-0x0000000000000000-mapping.dmp
-
memory/2112-136-0x00000000003B0000-0x00000000003CD000-memory.dmpFilesize
116KB
-
memory/2112-137-0x00000000003B0000-0x00000000003CD000-memory.dmpFilesize
116KB
-
memory/2112-117-0x0000000000000000-mapping.dmp
-
memory/2144-139-0x0000000000250000-0x000000000027E000-memory.dmpFilesize
184KB
-
memory/2144-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2144-123-0x0000000000000000-mapping.dmp
-
memory/2168-126-0x0000000000000000-mapping.dmp
-
memory/2168-132-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2196-131-0x0000000000000000-mapping.dmp
-
memory/2424-140-0x0000000000000000-mapping.dmp
-
memory/2452-147-0x0000000000000000-mapping.dmp