Analysis
-
max time kernel
155s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 22:51
Behavioral task
behavioral1
Sample
hello.exe
Resource
win7-20220414-en
General
-
Target
hello.exe
-
Size
37KB
-
MD5
f6578c4f484063121bb63109b543fb95
-
SHA1
baae4772f958a85f2420a7c112f3b0ee02f962ce
-
SHA256
c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
-
SHA512
882590671a309211271e40665ad0561c2f9474aac477a55dbe79e58122cb4370854641e84a9bd7d2d138eca3bef2d2453bacac501042139a7ec74cd37cacd87c
Malware Config
Extracted
njrat
im523
NEXT
109.197.196.135:9991
413491cbe232876548b9b7cd8a1b451d
-
reg_key
413491cbe232876548b9b7cd8a1b451d
-
splitter
|'|'|
Signatures
-
Detect Neshta Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe family_neshta C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
tmp12F6.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp12F6.tmp.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
-
Executes dropped EXE 11 IoCs
Processes:
tmpD229.tmp.exetmpEB11.tmp.exedllhost.exetmp12F6.tmp.exetmp12F6.tmp.exetmp12F6.tmpSrv.exeDesktopLayer.exesvchost.comTMP837~1.EXETMP837~1Srv.exeDesktopLayer.exepid process 1328 tmpD229.tmp.exe 2604 tmpEB11.tmp.exe 4776 dllhost.exe 1580 tmp12F6.tmp.exe 4500 tmp12F6.tmp.exe 2868 tmp12F6.tmpSrv.exe 3012 DesktopLayer.exe 4228 svchost.com 4004 TMP837~1.EXE 2780 TMP837~1Srv.exe 4868 DesktopLayer.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1932 netsh.exe 3644 netsh.exe 4740 netsh.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe upx C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe upx behavioral2/memory/2868-161-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/3012-165-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE upx C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE upx C:\Users\Admin\AppData\Local\Temp\tmp8374.tmp.exe upx C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe upx C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/2780-181-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/4004-178-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4004-183-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hello.exetmpD229.tmp.exedllhost.exetmp12F6.tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation hello.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation tmpD229.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation tmp12F6.tmp.exe -
Drops startup file 4 IoCs
Processes:
hello.exedllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17a12256c22089ecda68e950006be021.exe hello.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\413491cbe232876548b9b7cd8a1b451d.exe dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
hello.exetmpEB11.tmp.exedllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\17a12256c22089ecda68e950006be021 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hello.exe\" .." hello.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEB11.tmp.exe\" .." tmpEB11.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\075bed74890e43c52d546584d6c1b9c7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEB11.tmp.exe\" .." tmpEB11.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\413491cbe232876548b9b7cd8a1b451d = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
dllhost.exedescription ioc process File created D:\autorun.inf dllhost.exe File created C:\autorun.inf dllhost.exe File opened for modification C:\autorun.inf dllhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp12F6.tmp.exetmp12F6.tmpSrv.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\DESKTO~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE tmp12F6.tmp.exe File opened for modification C:\Program Files (x86)\Microsoft\px146D.tmp tmp12F6.tmpSrv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe tmp12F6.tmp.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe tmp12F6.tmpSrv.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE tmp12F6.tmp.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe tmp12F6.tmp.exe -
Drops file in Windows directory 2 IoCs
Processes:
tmp12F6.tmp.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com tmp12F6.tmp.exe File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D47DA7A6-EDD7-11EC-B274-F23C9496A3E7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 2 IoCs
Processes:
tmp12F6.tmp.exedllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp12F6.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhost.exepid process 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe 4776 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 4776 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
hello.exetmpEB11.tmp.exedllhost.exedescription pid process Token: SeDebugPrivilege 2360 hello.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: SeDebugPrivilege 2604 tmpEB11.tmp.exe Token: SeDebugPrivilege 4776 dllhost.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe Token: SeIncBasePriorityPrivilege 4776 dllhost.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 2360 hello.exe Token: SeIncBasePriorityPrivilege 2360 hello.exe Token: 33 2604 tmpEB11.tmp.exe Token: SeIncBasePriorityPrivilege 2604 tmpEB11.tmp.exe Token: 33 4776 dllhost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 764 iexplore.exe 764 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 764 iexplore.exe 764 iexplore.exe 556 IEXPLORE.EXE 556 IEXPLORE.EXE 556 IEXPLORE.EXE 556 IEXPLORE.EXE 764 iexplore.exe 764 iexplore.exe 448 IEXPLORE.EXE 448 IEXPLORE.EXE 448 IEXPLORE.EXE 448 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
hello.exetmpD229.tmp.exetmpEB11.tmp.exedllhost.exetmp12F6.tmp.exetmp12F6.tmp.exetmp12F6.tmpSrv.exeDesktopLayer.exeiexplore.exesvchost.comTMP837~1.EXETMP837~1Srv.exeDesktopLayer.exedescription pid process target process PID 2360 wrote to memory of 4740 2360 hello.exe netsh.exe PID 2360 wrote to memory of 4740 2360 hello.exe netsh.exe PID 2360 wrote to memory of 4740 2360 hello.exe netsh.exe PID 2360 wrote to memory of 1328 2360 hello.exe tmpD229.tmp.exe PID 2360 wrote to memory of 1328 2360 hello.exe tmpD229.tmp.exe PID 2360 wrote to memory of 1328 2360 hello.exe tmpD229.tmp.exe PID 2360 wrote to memory of 2604 2360 hello.exe tmpEB11.tmp.exe PID 2360 wrote to memory of 2604 2360 hello.exe tmpEB11.tmp.exe PID 2360 wrote to memory of 2604 2360 hello.exe tmpEB11.tmp.exe PID 1328 wrote to memory of 4776 1328 tmpD229.tmp.exe dllhost.exe PID 1328 wrote to memory of 4776 1328 tmpD229.tmp.exe dllhost.exe PID 1328 wrote to memory of 4776 1328 tmpD229.tmp.exe dllhost.exe PID 2604 wrote to memory of 1932 2604 tmpEB11.tmp.exe netsh.exe PID 2604 wrote to memory of 1932 2604 tmpEB11.tmp.exe netsh.exe PID 2604 wrote to memory of 1932 2604 tmpEB11.tmp.exe netsh.exe PID 4776 wrote to memory of 3644 4776 dllhost.exe netsh.exe PID 4776 wrote to memory of 3644 4776 dllhost.exe netsh.exe PID 4776 wrote to memory of 3644 4776 dllhost.exe netsh.exe PID 4776 wrote to memory of 1580 4776 dllhost.exe tmp12F6.tmp.exe PID 4776 wrote to memory of 1580 4776 dllhost.exe tmp12F6.tmp.exe PID 4776 wrote to memory of 1580 4776 dllhost.exe tmp12F6.tmp.exe PID 1580 wrote to memory of 4500 1580 tmp12F6.tmp.exe tmp12F6.tmp.exe PID 1580 wrote to memory of 4500 1580 tmp12F6.tmp.exe tmp12F6.tmp.exe PID 1580 wrote to memory of 4500 1580 tmp12F6.tmp.exe tmp12F6.tmp.exe PID 4500 wrote to memory of 2868 4500 tmp12F6.tmp.exe tmp12F6.tmpSrv.exe PID 4500 wrote to memory of 2868 4500 tmp12F6.tmp.exe tmp12F6.tmpSrv.exe PID 4500 wrote to memory of 2868 4500 tmp12F6.tmp.exe tmp12F6.tmpSrv.exe PID 2868 wrote to memory of 3012 2868 tmp12F6.tmpSrv.exe DesktopLayer.exe PID 2868 wrote to memory of 3012 2868 tmp12F6.tmpSrv.exe DesktopLayer.exe PID 2868 wrote to memory of 3012 2868 tmp12F6.tmpSrv.exe DesktopLayer.exe PID 3012 wrote to memory of 764 3012 DesktopLayer.exe iexplore.exe PID 3012 wrote to memory of 764 3012 DesktopLayer.exe iexplore.exe PID 764 wrote to memory of 556 764 iexplore.exe IEXPLORE.EXE PID 764 wrote to memory of 556 764 iexplore.exe IEXPLORE.EXE PID 764 wrote to memory of 556 764 iexplore.exe IEXPLORE.EXE PID 4776 wrote to memory of 4228 4776 dllhost.exe svchost.com PID 4776 wrote to memory of 4228 4776 dllhost.exe svchost.com PID 4776 wrote to memory of 4228 4776 dllhost.exe svchost.com PID 4228 wrote to memory of 4004 4228 svchost.com TMP837~1.EXE PID 4228 wrote to memory of 4004 4228 svchost.com TMP837~1.EXE PID 4228 wrote to memory of 4004 4228 svchost.com TMP837~1.EXE PID 4004 wrote to memory of 2780 4004 TMP837~1.EXE TMP837~1Srv.exe PID 4004 wrote to memory of 2780 4004 TMP837~1.EXE TMP837~1Srv.exe PID 4004 wrote to memory of 2780 4004 TMP837~1.EXE TMP837~1Srv.exe PID 2780 wrote to memory of 4868 2780 TMP837~1Srv.exe DesktopLayer.exe PID 2780 wrote to memory of 4868 2780 TMP837~1Srv.exe DesktopLayer.exe PID 2780 wrote to memory of 4868 2780 TMP837~1Srv.exe DesktopLayer.exe PID 4868 wrote to memory of 3308 4868 DesktopLayer.exe iexplore.exe PID 4868 wrote to memory of 3308 4868 DesktopLayer.exe iexplore.exe PID 764 wrote to memory of 448 764 iexplore.exe IEXPLORE.EXE PID 764 wrote to memory of 448 764 iexplore.exe IEXPLORE.EXE PID 764 wrote to memory of 448 764 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\hello.exe"C:\Users\Admin\AppData\Local\Temp\hello.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\hello.exe" "hello.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exe"4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exeC:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exe6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:29⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:82950 /prefetch:29⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXEC:\Users\Admin\AppData\Local\Temp\TMP837~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exeC:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exe" "tmpEB11.tmp.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exeFilesize
112KB
MD59a1b04a62283ab9848be4331ba124d0c
SHA1f83fdad90c24e41987b44a022db3856c9ff22368
SHA2563c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmp.exeFilesize
112KB
MD59a1b04a62283ab9848be4331ba124d0c
SHA1f83fdad90c24e41987b44a022db3856c9ff22368
SHA2563c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp12F6.tmpSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1.EXEFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\TMP837~1Srv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
C:\Users\Admin\AppData\Local\Temp\tmp12F6.tmp.exeFilesize
152KB
MD5a83982b0882253cabec61f523f16954e
SHA1fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468
-
C:\Users\Admin\AppData\Local\Temp\tmp8374.tmp.exeFilesize
65KB
MD5c1de9eca3223daed0bc2ae4816193d94
SHA1802d287f4b04454349ca29edf759c8a17c1001fa
SHA256da7ad7681972d3bad124bb4896d74cee40f5aa86d07ecfbd81050c6cc1619e8c
SHA5121ffc95367e960652cd78d99b6a7a38d8056b46dca5f59ada7f4c2dc620d829a43e96610c8bfa36268e1b5037bd9ce7225a050d53fef32cfd9309af3cdc4627a0
-
C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmpD229.tmp.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp.exeFilesize
32KB
MD500b5c86717162d1d8b22334fe21b9041
SHA1eada1b62b4d7e5ddcbdf57aa1fea6312d218e154
SHA25660411ad95716024ff295b429667ca3363b12a9fa23f795f42ef51609d05b9036
SHA512e6b5563070f56f6c76c103ef56592f52bff2657393983a05364619b374deee919424493fba70c63100c806ad4a98ab81c9db04e1285fe5f31d80ab1131b04a07
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
37KB
MD573196f394725a9623d84a512cdddf6ce
SHA14d24d92f70b2cbce52b1b173162b8f504ee7752f
SHA256ee4ab4017c6e9c0883b2c1e42d0f0264f178ad2c6416e07d77169fdf94d1b1a4
SHA5129c7d00237665f6a1df06217d156cbf07e499f60a7b4eb807b2df107f7392d710cb2439d524827b50492578c652ba20b81f95e4e0eee9f144330847f041971ed6
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
memory/1328-133-0x0000000000000000-mapping.dmp
-
memory/1328-136-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/1328-143-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/1580-150-0x0000000000000000-mapping.dmp
-
memory/1932-146-0x0000000000000000-mapping.dmp
-
memory/2360-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/2360-132-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/2604-148-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/2604-137-0x0000000000000000-mapping.dmp
-
memory/2604-144-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/2780-181-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2780-184-0x0000000000550000-0x000000000055F000-memory.dmpFilesize
60KB
-
memory/2780-173-0x0000000000000000-mapping.dmp
-
memory/2780-182-0x0000000000550000-0x000000000055F000-memory.dmpFilesize
60KB
-
memory/2868-156-0x0000000000000000-mapping.dmp
-
memory/2868-161-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3012-164-0x0000000000470000-0x000000000047F000-memory.dmpFilesize
60KB
-
memory/3012-165-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3012-159-0x0000000000000000-mapping.dmp
-
memory/3644-147-0x0000000000000000-mapping.dmp
-
memory/4004-170-0x0000000000000000-mapping.dmp
-
memory/4004-178-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4004-183-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4228-166-0x0000000000000000-mapping.dmp
-
memory/4500-153-0x0000000000000000-mapping.dmp
-
memory/4500-163-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4740-131-0x0000000000000000-mapping.dmp
-
memory/4776-149-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4776-140-0x0000000000000000-mapping.dmp
-
memory/4776-145-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4868-177-0x0000000000000000-mapping.dmp