neshta | c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e

Analysis

max time kernel
155s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-06-2022 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hello.exe
Size

37KB
MD5

f6578c4f484063121bb63109b543fb95
SHA1

baae4772f958a85f2420a7c112f3b0ee02f962ce
SHA256

c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
SHA512

882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c

Score

10^/10

neshta njrat ramnit next banker evasion persistence spyware stealer suricata trojan upx worm

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

109.197.196.135:9991

Mutex

413491cbe232876548b9b7cd8a1b451d

Attributes

reg_key
413491cbe232876548b9b7cd8a1b451d
splitter
|'|'|

Signatures

Detect Neshta Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

tmp12F6.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp12F6.tmp.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata

Executes dropped EXE 11 IoCs

Processes:

tmpD229.tmp.exetmpEB11.tmp.exedllhost.exetmp12F6.tmp.exetmp12F6.tmp.exetmp12F6.tmpSrv.exeDesktopLayer.exesvchost.comTMP837~1.EXETMP837~1Srv.exeDesktopLayer.exe

pid	process
1328	tmpD229.tmp.exe
2604	tmpEB11.tmp.exe
4776	dllhost.exe
1580	tmp12F6.tmp.exe
4500	tmp12F6.tmp.exe
2868	tmp12F6.tmpSrv.exe
3012	DesktopLayer.exe
4228	svchost.com
4004	TMP837~1.EXE
2780	TMP837~1Srv.exe
4868	DesktopLayer.exe

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1932 netsh.exe
3644 netsh.exe
4740 netsh.exe

pid	process
1932	netsh.exe
3644	netsh.exe
4740	netsh.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe	upx
behavioral2/memory/2868-161-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/3012-165-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\tmp8374.tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/2780-181-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/4004-178-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4004-183-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hello.exetmpD229.tmp.exedllhost.exetmp12F6.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	hello.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	tmpD229.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	tmp12F6.tmp.exe

Drops startup file 4 IoCs

Processes:

hello.exedllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe	hello.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe	hello.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hello.exetmpEB11.tmp.exedllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .."	hello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .."	hello.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEB11.tmp.exe\" .."	tmpEB11.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEB11.tmp.exe\" .."	tmpEB11.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .."	dllhost.exe

Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

dllhost.exe

description ioc process

File created D:\autorun.inf dllhost.exe
File created C:\autorun.inf dllhost.exe
File opened for modification C:\autorun.inf dllhost.exe

description	ioc	process
File created	D:\autorun.inf	dllhost.exe
File created	C:\autorun.inf	dllhost.exe
File opened for modification	C:\autorun.inf	dllhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp12F6.tmp.exetmp12F6.tmpSrv.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\DESKTO~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	tmp12F6.tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px146D.tmp	tmp12F6.tmpSrv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	tmp12F6.tmp.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	tmp12F6.tmpSrv.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	tmp12F6.tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	tmp12F6.tmp.exe

Drops file in Windows directory 2 IoCs

Processes:

tmp12F6.tmp.exesvchost.com

description ioc process

File opened for modification C:\Windows\svchost.com tmp12F6.tmp.exe
File opened for modification C:\Windows\directx.sys svchost.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	tmp12F6.tmp.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D47DA7A6-EDD7-11EC-B274-F23C9496A3E7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 2 IoCs

Processes:

tmp12F6.tmp.exedllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp12F6.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dllhost.exe

pid	process
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe
4776	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

4776 dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hello.exetmpEB11.tmp.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2360	hello.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: SeDebugPrivilege	2604	tmpEB11.tmp.exe
Token: SeDebugPrivilege	4776	dllhost.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe
Token: SeIncBasePriorityPrivilege	4776	dllhost.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	2360	hello.exe
Token: SeIncBasePriorityPrivilege	2360	hello.exe
Token: 33	2604	tmpEB11.tmp.exe
Token: SeIncBasePriorityPrivilege	2604	tmpEB11.tmp.exe
Token: 33	4776	dllhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

764 iexplore.exe
764 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
764	iexplore.exe
764	iexplore.exe
556	IEXPLORE.EXE
556	IEXPLORE.EXE
556	IEXPLORE.EXE
556	IEXPLORE.EXE
764	iexplore.exe
764	iexplore.exe
448	IEXPLORE.EXE
448	IEXPLORE.EXE
448	IEXPLORE.EXE
448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

hello.exetmpD229.tmp.exetmpEB11.tmp.exedllhost.exetmp12F6.tmp.exetmp12F6.tmp.exetmp12F6.tmpSrv.exeDesktopLayer.exeiexplore.exesvchost.comTMP837~1.EXETMP837~1Srv.exeDesktopLayer.exe

description	pid	process	target process
PID 2360 wrote to memory of 4740	2360	hello.exe	netsh.exe
PID 2360 wrote to memory of 4740	2360	hello.exe	netsh.exe
PID 2360 wrote to memory of 4740	2360	hello.exe	netsh.exe
PID 2360 wrote to memory of 1328	2360	hello.exe	tmpD229.tmp.exe
PID 2360 wrote to memory of 1328	2360	hello.exe	tmpD229.tmp.exe
PID 2360 wrote to memory of 1328	2360	hello.exe	tmpD229.tmp.exe
PID 2360 wrote to memory of 2604	2360	hello.exe	tmpEB11.tmp.exe
PID 2360 wrote to memory of 2604	2360	hello.exe	tmpEB11.tmp.exe
PID 2360 wrote to memory of 2604	2360	hello.exe	tmpEB11.tmp.exe
PID 1328 wrote to memory of 4776	1328	tmpD229.tmp.exe	dllhost.exe
PID 1328 wrote to memory of 4776	1328	tmpD229.tmp.exe	dllhost.exe
PID 1328 wrote to memory of 4776	1328	tmpD229.tmp.exe	dllhost.exe
PID 2604 wrote to memory of 1932	2604	tmpEB11.tmp.exe	netsh.exe
PID 2604 wrote to memory of 1932	2604	tmpEB11.tmp.exe	netsh.exe
PID 2604 wrote to memory of 1932	2604	tmpEB11.tmp.exe	netsh.exe
PID 4776 wrote to memory of 3644	4776	dllhost.exe	netsh.exe
PID 4776 wrote to memory of 3644	4776	dllhost.exe	netsh.exe
PID 4776 wrote to memory of 3644	4776	dllhost.exe	netsh.exe
PID 4776 wrote to memory of 1580	4776	dllhost.exe	tmp12F6.tmp.exe
PID 4776 wrote to memory of 1580	4776	dllhost.exe	tmp12F6.tmp.exe
PID 4776 wrote to memory of 1580	4776	dllhost.exe	tmp12F6.tmp.exe
PID 1580 wrote to memory of 4500	1580	tmp12F6.tmp.exe	tmp12F6.tmp.exe
PID 1580 wrote to memory of 4500	1580	tmp12F6.tmp.exe	tmp12F6.tmp.exe
PID 1580 wrote to memory of 4500	1580	tmp12F6.tmp.exe	tmp12F6.tmp.exe
PID 4500 wrote to memory of 2868	4500	tmp12F6.tmp.exe	tmp12F6.tmpSrv.exe
PID 4500 wrote to memory of 2868	4500	tmp12F6.tmp.exe	tmp12F6.tmpSrv.exe
PID 4500 wrote to memory of 2868	4500	tmp12F6.tmp.exe	tmp12F6.tmpSrv.exe
PID 2868 wrote to memory of 3012	2868	tmp12F6.tmpSrv.exe	DesktopLayer.exe
PID 2868 wrote to memory of 3012	2868	tmp12F6.tmpSrv.exe	DesktopLayer.exe
PID 2868 wrote to memory of 3012	2868	tmp12F6.tmpSrv.exe	DesktopLayer.exe
PID 3012 wrote to memory of 764	3012	DesktopLayer.exe	iexplore.exe
PID 3012 wrote to memory of 764	3012	DesktopLayer.exe	iexplore.exe
PID 764 wrote to memory of 556	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 556	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 556	764	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 4228	4776	dllhost.exe	svchost.com
PID 4776 wrote to memory of 4228	4776	dllhost.exe	svchost.com
PID 4776 wrote to memory of 4228	4776	dllhost.exe	svchost.com
PID 4228 wrote to memory of 4004	4228	svchost.com	TMP837~1.EXE
PID 4228 wrote to memory of 4004	4228	svchost.com	TMP837~1.EXE
PID 4228 wrote to memory of 4004	4228	svchost.com	TMP837~1.EXE
PID 4004 wrote to memory of 2780	4004	TMP837~1.EXE	TMP837~1Srv.exe
PID 4004 wrote to memory of 2780	4004	TMP837~1.EXE	TMP837~1Srv.exe
PID 4004 wrote to memory of 2780	4004	TMP837~1.EXE	TMP837~1Srv.exe
PID 2780 wrote to memory of 4868	2780	TMP837~1Srv.exe	DesktopLayer.exe
PID 2780 wrote to memory of 4868	2780	TMP837~1Srv.exe	DesktopLayer.exe
PID 2780 wrote to memory of 4868	2780	TMP837~1Srv.exe	DesktopLayer.exe
PID 4868 wrote to memory of 3308	4868	DesktopLayer.exe	iexplore.exe
PID 4868 wrote to memory of 3308	4868	DesktopLayer.exe	iexplore.exe
PID 764 wrote to memory of 448	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 448	764	iexplore.exe	IEXPLORE.EXE
PID 764 wrote to memory of 448	764	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\hello.exe
"C:\Users\Admin\AppData\Local\Temp\hello.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4740

C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Roaming\dllhost.exe
"C:\Users\Admin\AppData\Roaming\dllhost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3644

C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe"
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:82950 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
- Modifies Internet Explorer settings
PID:3308

C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe" "tmpEB11.tmp.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe
Filesize
112KB

MD5
9a1b04a62283ab9848be4331ba124d0c

SHA1
f83fdad90c24e41987b44a022db3856c9ff22368

SHA256
3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a

SHA512
393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe
Filesize
112KB

MD5
9a1b04a62283ab9848be4331ba124d0c

SHA1
f83fdad90c24e41987b44a022db3856c9ff22368

SHA256
3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a

SHA512
393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe
Filesize
152KB

MD5
a83982b0882253cabec61f523f16954e

SHA1
fcd593b4380735520b2f77fa7243abd5bcc61c56

SHA256
b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29

SHA512
e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8374.tmp.exe
Filesize
65KB

MD5
c1de9eca3223daed0bc2ae4816193d94

SHA1
802d287f4b04454349ca29edf759c8a17c1001fa

SHA256
da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c

SHA512
1ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe
Filesize
32KB

MD5
00b5c86717162d1d8b22334fe21b9041

SHA1
eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

SHA256
60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

SHA512
e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe
Filesize
32KB

MD5
00b5c86717162d1d8b22334fe21b9041

SHA1
eada1b62b4d7e5ddcbdf57aa1fea6312d218e154

SHA256
60411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036

SHA512
e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe
Filesize
37KB

MD5
73196f394725a9623d84a512cdddf6ce

SHA1
4d24d92f70b2cbce52b1b173162b8f504ee7752f

SHA256
ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4

SHA512
9c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/1328-133-0x0000000000000000-mapping.dmp

Download
memory/1328-136-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1328-143-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/1580-150-0x0000000000000000-mapping.dmp

Download
memory/1932-146-0x0000000000000000-mapping.dmp

Download
memory/2360-130-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/2360-132-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-148-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-137-0x0000000000000000-mapping.dmp

Download
memory/2604-144-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/2780-181-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2780-184-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download
memory/2780-173-0x0000000000000000-mapping.dmp

Download
memory/2780-182-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download
memory/2868-156-0x0000000000000000-mapping.dmp

Download
memory/2868-161-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3012-164-0x0000000000470000-0x000000000047F000-memory.dmp

Filesize
60KB

Download
memory/3012-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3012-159-0x0000000000000000-mapping.dmp

Download
memory/3644-147-0x0000000000000000-mapping.dmp

Download
memory/4004-170-0x0000000000000000-mapping.dmp

Download
memory/4004-178-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4004-183-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4228-166-0x0000000000000000-mapping.dmp

Download
memory/4500-153-0x0000000000000000-mapping.dmp

Download
memory/4500-163-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4740-131-0x0000000000000000-mapping.dmp

Download
memory/4776-149-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4776-140-0x0000000000000000-mapping.dmp

Download
memory/4776-145-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-177-0x0000000000000000-mapping.dmp

Download