modiloader | bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Size

116KB
MD5

59bfea24f746e49b632f8d51567b5545
SHA1

b1b7d61d5b5b82c1e01adfae5847e4f904736b62
SHA256

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
SHA512

994d3b35cc17b982a49cf4e3280ec839653094304c1c867cbcfa7a3796ea0e642c54ea6c6d6d476179e2a5f0d542cf32868137eaef311052b541b97c65ea2de6
SSDEEP

3072:sr85CDoalQnROfJyk3JaZ846bu93DwMSRywoW:k9D8er6RSRywoW

Score

10^/10

modiloader neshta njrat تلغيم شير جديد حموديذ evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

حموديذ

mohamednjrat111.no-ip.biz:10

Mutex

01336c20ab363000c950f7cbb76e26b7

Attributes

reg_key
01336c20ab363000c950f7cbb76e26b7
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

تلغيم شير جديد

mohamednjrat111.no-ip.biz:11

Mutex

d6915a2360eec64810596fb674521b88

Attributes

reg_key
d6915a2360eec64810596fb674521b88
splitter
|'|'|

Signatures

Detect Neshta payload 29 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	modiloader_stage2

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

4 1992 WScript.exe
7 1992 WScript.exe
10 1992 WScript.exe
13 1992 WScript.exe
15 1992 WScript.exe

flow	pid	process
4	1992	WScript.exe
7	1992	WScript.exe
10	1992	WScript.exe
13	1992	WScript.exe
15	1992	WScript.exe

Executes dropped EXE 9 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.comnj7.exeserver.exesvchost.comCHROME~1.EXEsvchost.comdllhosst.exe

pid	process
1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
2028	svchost.com
2016	svchost.com
1728	nj7.exe
1788	server.exe
1544	svchost.com
1944	CHROME~1.EXE
916	svchost.com
1220	dllhosst.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1948 netsh.exe

pid	process
1948	netsh.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	WScript.exe

Loads dropped DLL 8 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.comsvchost.comsvchost.com

pid	process
756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
2028	svchost.com
2016	svchost.com
1544	svchost.com
756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
2016	svchost.com
916	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exedllhosst.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\d6915a2360eec64810596fb674521b88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhosst.exe\" .."	dllhosst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d6915a2360eec64810596fb674521b88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhosst.exe\" .."	dllhosst.exe

Drops file in Program Files directory 64 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Drops file in Windows directory 9 IoCs

Processes:

svchost.comsvchost.combfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

dllhosst.exe

description	pid	process
Token: SeDebugPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe
Token: 33	1220	dllhosst.exe
Token: SeIncBasePriorityPrivilege	1220	dllhosst.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exebfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.comserver.exesvchost.comnj7.exesvchost.comdllhosst.exe

description	pid	process	target process
PID 756 wrote to memory of 1380	756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 756 wrote to memory of 1380	756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 756 wrote to memory of 1380	756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 756 wrote to memory of 1380	756	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 1380 wrote to memory of 1992	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1380 wrote to memory of 1992	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1380 wrote to memory of 1992	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1380 wrote to memory of 1992	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1380 wrote to memory of 2028	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2028	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2028	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2028	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2016	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2016	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2016	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1380 wrote to memory of 2016	1380	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 2028 wrote to memory of 1728	2028	svchost.com	nj7.exe
PID 2028 wrote to memory of 1728	2028	svchost.com	nj7.exe
PID 2028 wrote to memory of 1728	2028	svchost.com	nj7.exe
PID 2028 wrote to memory of 1728	2028	svchost.com	nj7.exe
PID 2016 wrote to memory of 1788	2016	svchost.com	server.exe
PID 2016 wrote to memory of 1788	2016	svchost.com	server.exe
PID 2016 wrote to memory of 1788	2016	svchost.com	server.exe
PID 2016 wrote to memory of 1788	2016	svchost.com	server.exe
PID 1788 wrote to memory of 1544	1788	server.exe	svchost.com
PID 1788 wrote to memory of 1544	1788	server.exe	svchost.com
PID 1788 wrote to memory of 1544	1788	server.exe	svchost.com
PID 1788 wrote to memory of 1544	1788	server.exe	svchost.com
PID 1544 wrote to memory of 1944	1544	svchost.com	CHROME~1.EXE
PID 1544 wrote to memory of 1944	1544	svchost.com	CHROME~1.EXE
PID 1544 wrote to memory of 1944	1544	svchost.com	CHROME~1.EXE
PID 1544 wrote to memory of 1944	1544	svchost.com	CHROME~1.EXE
PID 1728 wrote to memory of 916	1728	nj7.exe	svchost.com
PID 1728 wrote to memory of 916	1728	nj7.exe	svchost.com
PID 1728 wrote to memory of 916	1728	nj7.exe	svchost.com
PID 1728 wrote to memory of 916	1728	nj7.exe	svchost.com
PID 916 wrote to memory of 1220	916	svchost.com	dllhosst.exe
PID 916 wrote to memory of 1220	916	svchost.com	dllhosst.exe
PID 916 wrote to memory of 1220	916	svchost.com	dllhosst.exe
PID 916 wrote to memory of 1220	916	svchost.com	dllhosst.exe
PID 1220 wrote to memory of 1948	1220	dllhosst.exe	netsh.exe
PID 1220 wrote to memory of 1948	1220	dllhosst.exe	netsh.exe
PID 1220 wrote to memory of 1948	1220	dllhosst.exe	netsh.exe
PID 1220 wrote to memory of 1948	1220	dllhosst.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
"C:\Users\Admin\AppData\Local\Temp\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\nj7.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\nj7.exe
C:\Users\Admin\AppData\Local\Temp\nj7.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\dllhosst.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\dllhosst.exe
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dllhosst.exe" "dllhosst.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:1948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE
C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE
6⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
178KB

MD5
6570f18406183e572b1f8d4cea13bc66

SHA1
838e8537f613a33d9828defeb4cb1af2f8ed5f2b

SHA256
0466a343fc8ec05657758df972183869b74dd15936f9ac18663462128c88be64

SHA512
0b6807b721ec3934de420498014be32d1cb66d2d6ccb57f86b996d4423a7fa9d719f864317ffe1d48ca7c2bc5a72cb7b93f32fa03d09f144b1dba8006e0ebdf4

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
194KB

MD5
623288b46813a3c1c960b801762a3fde

SHA1
c73da36974aac1c21f57afde8879a8c5fb7b6a4c

SHA256
65777f734ceaa4a20a594cd0b52d7a02ee9a200f01641817ad9526b79117c3ff

SHA512
573d760b64c417dac7d9e765766e38ae465f2c0c0d177933302731048a5f4661964e60676844e57780eb65ef94cbcde1378e75d8d0a30c6a26bc1413e43c3eba

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
1.1MB

MD5
426b3bfe5f493cf140a67b3799ac9948

SHA1
37f106a31f72dbe07e21dbffefe2b77b9b7f59e2

SHA256
2311547cc9f985e3c316fb2f90784d9f44733044d50b48f4e1e54d3c50e969c1

SHA512
f9ad8fa69a071faec825e0ddbdcae93c0667c900a6859c5ce14ccbe1e76cd6085e651e8784f07ef2b74e02e2bbec4c8b6bd979c5b298e7641d50f43b5bf0d973

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

Filesize
287KB

MD5
abfa225c2a1a1094c155028ba2ee77f7

SHA1
74136932691b15195ffef5a81a47a9aeafb6b9b7

SHA256
06b967634c744ad9232ab1286da77794848c03ab83a26e125931e9b47e8befbc

SHA512
5dd807b1ae91587c99948699e7fbf67dc5512c50cec1a738dd9c8ba3758500089eaf8bd7d13ea277bd101eee91d53dfd5cf1ea033cb0575082e6759e416ebc0a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

Filesize
188KB

MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE

Filesize
741KB

MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

Filesize
392KB

MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

Filesize
694KB

MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
144KB

MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
328a15382885fe27a2fbe65a6b6c8b82

SHA1
032fde6f0898393387ac4142b7f540de0d586555

SHA256
4f78a7e0d8ab78d7e76a00d81f4af2d634e7b48c1c82cb44539a0178f50add86

SHA512
8466fb50a185bda1fdc35126748a81a54d9a804f7023531dd205a18e157931fcbfcf33e006ad1e7cab5288624b8816f54758fb74cc5190f263d208e32a694216

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

Filesize
1.5MB

MD5
bfe8267cbc145e3230a3fc9430e3de1e

SHA1
505e1723d02274804942dc322f4d45c99a0d1a1c

SHA256
127e2cf254aa60bcc1e2bfc7f963afa92d57e8ea2a2b3d50f4fb5b4b73d089ba

SHA512
5c1680af090e8667e103700015e50de6174c13427f9fa4865d786170bd45b1c2733342bc8cf1e5b23830beaddcb99a21566b957e5cafe9b95fe36d8c5fb3567e

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
169KB

MD5
1533cd461da93c035e07338328a25a48

SHA1
c17a645ad8f7f80450b58f2237767527a28d43b9

SHA256
33f5a548c2edc528cfc4ccc53ee4f28fd231ed5187310b1e6bb68bc066352cb5

SHA512
6c34379fcd203abbc16045aac74a452d60cebe2361a8d0032d47527a4cba7826649e029c0645081db491c3723b03da519aca6fc7b1efa6f69a3a65fd424b7437

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
40bceab6b725ec478b39e534b4edd1c1

SHA1
1fe39943848fb70c0446adab32a22a2296776139

SHA256
adbb0f06b5886496093c2a16a13cd5c9fd1a684674e9b60ef0778c771506b8e0

SHA512
8be164aeb87dc58b6c9ef64fa020b4fee1ca787fd296593b2029d9f3b2d134de6834c4354c7e57b5214321c29b0fe0779dfbe9c15c80f5d383da911df187632f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
34b8aac6f260934046899dd3c0ca3549

SHA1
8c5b645173fa562665b59c15fb310cd742449e76

SHA256
b35d39b6901722b881a4d15e51e59457f8315a1d58b59cc89fe375ef5c76cd9d

SHA512
cbe06fa652681f6796bb6339999bdbd69eb2c8d34ff00e98323561b769d225c34bf572c058ace95d23408e46c706438840a9617015dd3ea3e604ac194902e0a0

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.vbs

Filesize
13KB

MD5
e9c8efcf6823bdfb953fecf8d024953d

SHA1
2b19ced121cde60c3d4f56318fb5fd39cdff713c

SHA256
7ed4457fb7b013201ac170705d38085373b40621bd708dd6be2e40428b378ae2

SHA512
e3b2bd57e3f248bd07f3d9b19a1bc6b2a0d7310863f47af1ff82aab08a5351ba783229443ff2e7ead8a44649563741c80a9a44b3c46c8a1e5fbc643f6c09d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Filesize
76KB

MD5
4c66f44d49fbe99324009742575eddc3

SHA1
3b289ac7714e0093316ea439519940f67246aa31

SHA256
6a0caeb86e94e5d0b6a81f7bbb527ba3aee6a28f8703e411cfdcc58a8cdecd9d

SHA512
c6143d187a7b4e487ef51547db870a576a545c990e4746311724df119c09438ff25160e9021be961cd72161ddcb0170218784d7bbcd1362089e04085dd1c6e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nj7.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nj7.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
268b6b7439beb9155896852f216f371b

SHA1
ccaa6b3cd752ad0fc0aed419345c5628e70269a6

SHA256
8ce8d90ffc7e758fa2e0ca36337a57d5cde7d00dc6d8f8f0c6268156696abd25

SHA512
98769abf385f3f85f53fc9cefa858aaabdf7417b26b3d754f0a541607f819224b4ac60e6f845ce819e440cfbf4a9316f769e75d2819ab1b7aefa6d29d2215967

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
3e8cab484ae33dffd3bde1b23801c209

SHA1
0a73d311ac5f2d1a835d50995026750944ec9ff0

SHA256
80a758e8bcb71a6204cd86b7090ba040542b4841874db1bcdfc753abd9a449f0

SHA512
a6f829c39bbe9a30b067a940ce435c3168f6e4f33589c6c8f2d2287921bdab4fde2d9caca50d4be633d3270cfd1563568b0c1be399dee4cd5d446f0400ab3a1e

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
3b21c2c4e413b577c7523593f33f5935

SHA1
8d4e51f9d8af7ae7c2c8ef442353acfdac7d63a8

SHA256
d8355076b4ae2bef5ca6f5165595f3214908d6886a4a7028d014725419c77451

SHA512
4d1f20b956a120665ca1fc868d3965a212a61516b4dbb03c0636e08b8ac567d4595fcfbfbf6642714392e97cf2e2c784e8a99eb748c1c1d99aacb88e75dafcab

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Filesize
76KB

MD5
4c66f44d49fbe99324009742575eddc3

SHA1
3b289ac7714e0093316ea439519940f67246aa31

SHA256
6a0caeb86e94e5d0b6a81f7bbb527ba3aee6a28f8703e411cfdcc58a8cdecd9d

SHA512
c6143d187a7b4e487ef51547db870a576a545c990e4746311724df119c09438ff25160e9021be961cd72161ddcb0170218784d7bbcd1362089e04085dd1c6e70

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Filesize
76KB

MD5
4c66f44d49fbe99324009742575eddc3

SHA1
3b289ac7714e0093316ea439519940f67246aa31

SHA256
6a0caeb86e94e5d0b6a81f7bbb527ba3aee6a28f8703e411cfdcc58a8cdecd9d

SHA512
c6143d187a7b4e487ef51547db870a576a545c990e4746311724df119c09438ff25160e9021be961cd72161ddcb0170218784d7bbcd1362089e04085dd1c6e70

Download Submit
\Users\Admin\AppData\Local\Temp\CHROME~1.EXE

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
\Users\Admin\AppData\Local\Temp\dllhosst.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
\Users\Admin\AppData\Local\Temp\nj7.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
memory/756-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/916-106-0x0000000000000000-mapping.dmp

Download
memory/1220-120-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-113-0x0000000000000000-mapping.dmp

Download
memory/1220-130-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-57-0x0000000000000000-mapping.dmp

Download
memory/1544-81-0x0000000000000000-mapping.dmp

Download
memory/1728-109-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-73-0x0000000000000000-mapping.dmp

Download
memory/1728-96-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-75-0x0000000000000000-mapping.dmp

Download
memory/1788-94-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-87-0x0000000000000000-mapping.dmp

Download
memory/1944-95-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-131-0x0000000000000000-mapping.dmp

Download
memory/1992-60-0x0000000000000000-mapping.dmp

Download
memory/2016-65-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download