neshta | 1c6fe05278c9d74ecf0f6d76636a7945f2d72427dde2fdf3deac27fbb3272815

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2022 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NLBrute 1.2 x64 & VPN - KeyGen.exe
Size

2.7MB
MD5

b5ab8cc485d3d593884cf23097922fcf
SHA1

94db6a99f0ccafee1afc706206e6064330c131fc
SHA256

1c6fe05278c9d74ecf0f6d76636a7945f2d72427dde2fdf3deac27fbb3272815
SHA512

7097d2d03e9820d5c930af5b75496b8e194f68097d3e1f0c70d46b8d743bbc504b02e2f429c4183e5fe0ff223cd200d3c22972691838b81a60da6a806b8f5d15

Score

10^/10

neshta njrat (01bx)evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

(01Bx)

d3co4r.duckdns.org:5552

Mutex

321cd4014403b2277502d40883f15d2d

Attributes

reg_key
321cd4014403b2277502d40883f15d2d
splitter
|'|'|

Signatures

Detect Neshta payload 30 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe	family_neshta
C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe	family_neshta
C:\Users\Admin\AppData\Roaming\Google Chrome.exe	family_neshta
C:\Users\Admin\AppData\Roaming\Google Chrome.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	NLBrute 1.2 x64 & VPN - KeyGen.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exeGoogle Chrome.exesvchost.comGOOGLE~1.EXEsvchost.comChrome.exe

pid process

2044 NLBrute 1.2 x64 & VPN - KeyGen.exe
804 Google Chrome.exe
208 svchost.com
4784 GOOGLE~1.EXE
3148 svchost.com
616 Chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2188 netsh.exe

pid	process
2044	NLBrute 1.2 x64 & VPN - KeyGen.exe
804	Google Chrome.exe
208	svchost.com
4784	GOOGLE~1.EXE
3148	svchost.com
616	Chrome.exe

pid	process
2188	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exeNLBrute 1.2 x64 & VPN - KeyGen.exeGoogle Chrome.exeGOOGLE~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	NLBrute 1.2 x64 & VPN - KeyGen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	NLBrute 1.2 x64 & VPN - KeyGen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Google Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GOOGLE~1.EXE

Drops startup file 2 IoCs

Processes:

Chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\321cd4014403b2277502d40883f15d2d.exe	Chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\321cd4014403b2277502d40883f15d2d.exe	Chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\321cd4014403b2277502d40883f15d2d = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .."	Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\321cd4014403b2277502d40883f15d2d = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .."	Chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

Google Chrome.exeNLBrute 1.2 x64 & VPN - KeyGen.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	Google Chrome.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Google Chrome.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	Google Chrome.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.comsvchost.comNLBrute 1.2 x64 & VPN - KeyGen.exeGoogle Chrome.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	NLBrute 1.2 x64 & VPN - KeyGen.exe
File opened for modification	C:\Windows\svchost.com	Google Chrome.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

GOOGLE~1.EXENLBrute 1.2 x64 & VPN - KeyGen.exeGoogle Chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	GOOGLE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	NLBrute 1.2 x64 & VPN - KeyGen.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Chrome.exe

description	pid	process
Token: SeDebugPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe
Token: 33	616	Chrome.exe
Token: SeIncBasePriorityPrivilege	616	Chrome.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exeGoogle Chrome.exesvchost.comGOOGLE~1.EXEsvchost.comChrome.exe

description	pid	process	target process
PID 4620 wrote to memory of 2044	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 4620 wrote to memory of 2044	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 4620 wrote to memory of 2044	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 4620 wrote to memory of 804	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	Google Chrome.exe
PID 4620 wrote to memory of 804	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	Google Chrome.exe
PID 4620 wrote to memory of 804	4620	NLBrute 1.2 x64 & VPN - KeyGen.exe	Google Chrome.exe
PID 804 wrote to memory of 208	804	Google Chrome.exe	svchost.com
PID 804 wrote to memory of 208	804	Google Chrome.exe	svchost.com
PID 804 wrote to memory of 208	804	Google Chrome.exe	svchost.com
PID 208 wrote to memory of 4784	208	svchost.com	GOOGLE~1.EXE
PID 208 wrote to memory of 4784	208	svchost.com	GOOGLE~1.EXE
PID 208 wrote to memory of 4784	208	svchost.com	GOOGLE~1.EXE
PID 4784 wrote to memory of 3148	4784	GOOGLE~1.EXE	svchost.com
PID 4784 wrote to memory of 3148	4784	GOOGLE~1.EXE	svchost.com
PID 4784 wrote to memory of 3148	4784	GOOGLE~1.EXE	svchost.com
PID 3148 wrote to memory of 616	3148	svchost.com	Chrome.exe
PID 3148 wrote to memory of 616	3148	svchost.com	Chrome.exe
PID 3148 wrote to memory of 616	3148	svchost.com	Chrome.exe
PID 616 wrote to memory of 2188	616	Chrome.exe	netsh.exe
PID 616 wrote to memory of 2188	616	Chrome.exe	netsh.exe
PID 616 wrote to memory of 2188	616	Chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 x64 & VPN - KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 x64 & VPN - KeyGen.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe
  "C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe"
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:2044
- C:\Users\Admin\AppData\Roaming\Google Chrome.exe
  "C:\Users\Admin\AppData\Roaming\Google Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\GOOGLE~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\GOOGLE~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\GOOGLE~1.EXE
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\Chrome.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Users\Admin\AppData\Roaming\Chrome.exe
        
        C:\Users\Admin\AppData\Roaming\Chrome.exe
        6⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Chrome.exe" "Chrome.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe

Filesize
537KB

MD5
365a79a3103889da0d1034eef90e150b

SHA1
9c6d6600212ceb9b712fea1d99d85e7ef7f748eb

SHA256
49593d97b8367cddb5e341e367c851573c076fa052639e08d933e5203b77b5ef

SHA512
08ad848319600e122f9de12d103104ea155be17205171669cd305e3c9d9ac500a4dc10938b1c094b2705a13b4aa2b67344a59635ed7cedc95e52e9eba9371684

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe

Filesize
3.2MB

MD5
fe1b69272105afc35c59fdde851a0e73

SHA1
7407f32ccd3d444aac532dfa2dee59d6d38fb91a

SHA256
f68ee8f47c69284ceabde249d8f9406f35f085353a299a8707a24c6b34b775c6

SHA512
92fc046442048f67e0a5612f3d63e9b986d7803469737c226825415e91a9b2fdebd02bd951d082806cc8944e422c79ef29ffa4653a6364f4c1f5681c7ba043a3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe

Filesize
1.7MB

MD5
2a52fd23291f3caca91b559c3dcd637f

SHA1
c2cef19fcb10d45e5e1c437a7e4246d500ed09a3

SHA256
2a228d131fd39876865c31dadd000193978618637ca12408e42f4060aa2f466c

SHA512
f189c9f0b68d6d6842113e048356565569f67e7e63c6d4563913c99038f0a0bb54b750f37c098a50936eb115d751265314abde27d5014c6c73011c031f82b248

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe

Filesize
1.1MB

MD5
04a1f566e84e3195b2da69ad9f3cd3c6

SHA1
66cf405b03dee4e8792b140b0f01913258c39f3f

SHA256
1783558c3b30f7c09efd44b76a09d85073bbdf27bdbc46de61783b9f7a76f3d2

SHA512
61e9543b78a31235a25ebc3135334fb1ded0124df8662074ac9944ef4086e920cc1c741e89a316cf44c53106f66254c605fb53e13d850f55d7de34191f405ad5

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe

Filesize
3.7MB

MD5
e1545cbdd197de221913344565f16c76

SHA1
3672b92456462879827edb7041bab80812ff8edd

SHA256
6ecc928d1a67f292103a6731630a942cf8b9bcb52ab6a1d47ed4f9202751b110

SHA512
a8186842890a851a9760d821d42490620e4e9f7906908ac63547913f9411502f45847155d844824e646068529b4112c7acd07ee1840294a347e07d293c0309ac

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe

Filesize
1.2MB

MD5
76b75235753ce5712585a0db78fe25c7

SHA1
b314e5c2c0a4e1fb6bf16978ed5bf66006bd9ac3

SHA256
b6fa887a2438cb5bea974731b5abff7b4291171644cd384aad91e8ccc243dca5

SHA512
137cf24400e60ddd85454d9b3344d10d2cab5cfde7b639150ebb895e122a803ba7a519a522e754a1df43f77b8cdf38e7cde7aff000f9c0ab734082bc18374fce

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe

Filesize
1.8MB

MD5
e9db236130389516b93f40c919c2619b

SHA1
2722717f25122719010bdb0b49bcbb6f9a9d69ac

SHA256
3d3c7ff298fa5d2914470fc32fcb92a82d1ce8924933221895bcbab49d29eab8

SHA512
5bc6fbd9f97754bf4ec44ee7101d86657a35af6ee3a1b0b79bba4fbffffbfbf3b5836bffe9dd7db495c5688c8b7b291e52b0a6c89ea1f5e41e79507e49f30598

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe

Filesize
3.2MB

MD5
816bf809bdab7e95c6f16b38f619a527

SHA1
5bc139e11d077e8fa88394fb610f63f629f3b86d

SHA256
75367284d50434c966d4126241682829523a0baa1c03163b9383433182433a75

SHA512
1e7fbdbfcfb805691ca402acb7da16222da3f6d923db3cc5fe36cb7e677159f5a4b3ab8397d4d34ed82dc389220721bd40d37e35ecc57411133a1601fca1555c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe

Filesize
1.3MB

MD5
2a46785ab8b2aad2bf6630d12a17a6ce

SHA1
e9704d280ea3589c3b4c1d808a5ff0efe83bc330

SHA256
1bb2b789bf7890e583958a213a20a20c920972ecac9e1874c04b49d28f69f224

SHA512
5efb0fdfbadca4698879249f5a2d07846012394c50695f663c18f469e887124819537bb71b179d427886e1325bc201cd28bd499fb75d2bdff01dfdf8a13db94e

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe

Filesize
1.1MB

MD5
25689bf879a14f124ea71db500ddb522

SHA1
36dc53850fef561a5ecbb3acdaaaa8aa7868c14c

SHA256
2bd534244e50c34d36957c30cb26077ef7e91635eb93df15d1b16c867b125c3f

SHA512
fc182276d7187bbb941c171dc70900bdbf81591f83559dd3c0be2f2467ca66c853a5e5cc6affff5870cd0fbd6dcd0db69bb8f55068085eb39fb61b3cfdcd0ed3

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE

Filesize
156KB

MD5
5ad8dd7a663f101ffeddfcd6bae2f9cf

SHA1
67fabad5399c2e46191c1132e0874a6cc2b208f8

SHA256
6a4a49328946be26ca31632af3e5441ba2b8247a51671de188c86821f1eb890b

SHA512
1db427eee862578fa4ce1e40071df6e5b6db3f67546d15a497a4714ee4b1de6dd8d7aba73681dc8e9f23f135f5ca71dcd8dfd9abaf1620ab578e5ef63e36968a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
279KB

MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
a55d2c94c27ffe098171e6c1f296f56d

SHA1
d0c875b2721894404c9eaa07d444c0637a3cbc3b

SHA256
e81e4630b01d181fb3116e9e874eedfe1a43472bfa6d83cc24f55e78721ddf86

SHA512
13ee9041b21d4e00392aeaa5440c34301f945d9bbd4f07f831397040991eee79842a5618c1fd26ec75e7132b5da811bc9605b76b83a48355ede37a2a1c1cd6f0

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
91490c78c45cbd686ac759b6a252e898

SHA1
51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480

SHA256
47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821

SHA512
f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\GOOGLE~1.EXE

Filesize
211KB

MD5
94f1d651dcd07692153fcf46819e3637

SHA1
ef4a393c59c6fa59bb39fb8e1d2f9de8d88ce8e7

SHA256
5ccbf793ad53fa854043c8a781f5809d6996fa272e47df3cbe7b1d7016c609e7

SHA512
9dfb9b1a08ce64d999e7d0b3d0c3597e1d11766fea201e19d8c48834cfa7a3f798debc98f10f1126886143e0e1c864b67aaa28dbbb528493eb676ed963552094

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Google Chrome.exe

Filesize
211KB

MD5
94f1d651dcd07692153fcf46819e3637

SHA1
ef4a393c59c6fa59bb39fb8e1d2f9de8d88ce8e7

SHA256
5ccbf793ad53fa854043c8a781f5809d6996fa272e47df3cbe7b1d7016c609e7

SHA512
9dfb9b1a08ce64d999e7d0b3d0c3597e1d11766fea201e19d8c48834cfa7a3f798debc98f10f1126886143e0e1c864b67aaa28dbbb528493eb676ed963552094

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute 1.2 x64 & VPN - KeyGen.exe

Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
211KB

MD5
94f1d651dcd07692153fcf46819e3637

SHA1
ef4a393c59c6fa59bb39fb8e1d2f9de8d88ce8e7

SHA256
5ccbf793ad53fa854043c8a781f5809d6996fa272e47df3cbe7b1d7016c609e7

SHA512
9dfb9b1a08ce64d999e7d0b3d0c3597e1d11766fea201e19d8c48834cfa7a3f798debc98f10f1126886143e0e1c864b67aaa28dbbb528493eb676ed963552094

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
211KB

MD5
94f1d651dcd07692153fcf46819e3637

SHA1
ef4a393c59c6fa59bb39fb8e1d2f9de8d88ce8e7

SHA256
5ccbf793ad53fa854043c8a781f5809d6996fa272e47df3cbe7b1d7016c609e7

SHA512
9dfb9b1a08ce64d999e7d0b3d0c3597e1d11766fea201e19d8c48834cfa7a3f798debc98f10f1126886143e0e1c864b67aaa28dbbb528493eb676ed963552094

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe

Filesize
252KB

MD5
4195eb536048172d586ea579171dacbd

SHA1
22e6cd6ca3b55e44c4e31490760d524b833dfb14

SHA256
668448ec9ea23f6181f8821ddb76c37d68f6cc02555493339595094d07d3a770

SHA512
b604be4666fac6e236b62eb5dc60b84d3c902ccca944c0ece76bf62118c5835d844d89002f7d8aa73a8890091c91e185560cabe2fd956485932212a578df3191

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe

Filesize
252KB

MD5
4195eb536048172d586ea579171dacbd

SHA1
22e6cd6ca3b55e44c4e31490760d524b833dfb14

SHA256
668448ec9ea23f6181f8821ddb76c37d68f6cc02555493339595094d07d3a770

SHA512
b604be4666fac6e236b62eb5dc60b84d3c902ccca944c0ece76bf62118c5835d844d89002f7d8aa73a8890091c91e185560cabe2fd956485932212a578df3191

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\321CD4~1.EXE

Filesize
211KB

MD5
94f1d651dcd07692153fcf46819e3637

SHA1
ef4a393c59c6fa59bb39fb8e1d2f9de8d88ce8e7

SHA256
5ccbf793ad53fa854043c8a781f5809d6996fa272e47df3cbe7b1d7016c609e7

SHA512
9dfb9b1a08ce64d999e7d0b3d0c3597e1d11766fea201e19d8c48834cfa7a3f798debc98f10f1126886143e0e1c864b67aaa28dbbb528493eb676ed963552094

Download Submit
C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe

Filesize
2.5MB

MD5
e72838eccda2eae29e96b0c572d783c3

SHA1
60f0944ecbd21cf590445c12ba89a2ae48f27a6a

SHA256
f824fdc666630ccb179d9086b79783e3ede76e4392a5edfdd20d93b7259ae061

SHA512
7439902a4f16d29dcc4c749adc40f4541d509e607d915287c6c98f609ef14c4eb99ec507d7e7c853527a6c08628a367b21ae0f066828c2cc8792f2c1a3fa77f8

Download Submit
C:\Users\Admin\AppData\Roaming\NLBrute 1.2 x64 & VPN - KeyGen.exe

Filesize
2.5MB

MD5
e72838eccda2eae29e96b0c572d783c3

SHA1
60f0944ecbd21cf590445c12ba89a2ae48f27a6a

SHA256
f824fdc666630ccb179d9086b79783e3ede76e4392a5edfdd20d93b7259ae061

SHA512
7439902a4f16d29dcc4c749adc40f4541d509e607d915287c6c98f609ef14c4eb99ec507d7e7c853527a6c08628a367b21ae0f066828c2cc8792f2c1a3fa77f8

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
f80d8ece562a0ed877c24bba37372f1d

SHA1
89c766d6c18e8762e83aafa80760a9ecb60ae526

SHA256
2171611d63d017e588b52d472a5a0a3b7b959542f9618fd25db5ecd6a7ba7108

SHA512
00f07b1e8d0678d9af577294a2b3abbf5af39ee1fc36bf8b4ae0a016683d5c2f4a160922206d456b36c573792a40d20dd0cc1cf5c66c85802dcaa06644482dfc

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/208-139-0x0000000000000000-mapping.dmp

Download
memory/616-154-0x0000000073770000-0x0000000073D21000-memory.dmp

Filesize
5.7MB

Download
memory/616-158-0x0000000073770000-0x0000000073D21000-memory.dmp

Filesize
5.7MB

Download
memory/616-151-0x0000000000000000-mapping.dmp

Download
memory/804-135-0x0000000000000000-mapping.dmp

Download
memory/2044-132-0x0000000000000000-mapping.dmp

Download
memory/2188-155-0x0000000000000000-mapping.dmp

Download
memory/3148-147-0x0000000000000000-mapping.dmp

Download
memory/4784-153-0x0000000073770000-0x0000000073D21000-memory.dmp

Filesize
5.7MB

Download
memory/4784-144-0x0000000000000000-mapping.dmp

Download
memory/4784-146-0x0000000073770000-0x0000000073D21000-memory.dmp

Filesize
5.7MB

Download