modiloader | bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Size

116KB
MD5

59bfea24f746e49b632f8d51567b5545
SHA1

b1b7d61d5b5b82c1e01adfae5847e4f904736b62
SHA256

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff
SHA512

994d3b35cc17b982a49cf4e3280ec839653094304c1c867cbcfa7a3796ea0e642c54ea6c6d6d476179e2a5f0d542cf32868137eaef311052b541b97c65ea2de6
SSDEEP

3072:sr85CDoalQnROfJyk3JaZ846bu93DwMSRywoW:k9D8er6RSRywoW

Score

10^/10

modiloader neshta njrat تلغيم شير جديد حموديذ evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

تلغيم شير جديد

mohamednjrat111.no-ip.biz:11

Mutex

d6915a2360eec64810596fb674521b88

Attributes

reg_key
d6915a2360eec64810596fb674521b88
splitter
|'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

حموديذ

mohamednjrat111.no-ip.biz:10

Mutex

01336c20ab363000c950f7cbb76e26b7

Attributes

reg_key
01336c20ab363000c950f7cbb76e26b7
splitter
|'|'|

Signatures

Detect Neshta payload 31 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	modiloader_stage2

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

5 1408 WScript.exe
30 1408 WScript.exe
38 1408 WScript.exe
64 1408 WScript.exe
102 1408 WScript.exe

flow	pid	process
5	1408	WScript.exe
30	1408	WScript.exe
38	1408	WScript.exe
64	1408	WScript.exe
102	1408	WScript.exe

Executes dropped EXE 9 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comnj7.exesvchost.comserver.exesvchost.comCHROME~1.EXEsvchost.comdllhosst.exe

pid	process
1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
2420	svchost.com
852	nj7.exe
3272	svchost.com
3192	server.exe
4448	svchost.com
3112	CHROME~1.EXE
3384	svchost.com
2072	dllhosst.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3484 netsh.exe

pid	process
3484	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exebfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exeserver.exenj7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nj7.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exedllhosst.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d6915a2360eec64810596fb674521b88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhosst.exe\" .."	dllhosst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d6915a2360eec64810596fb674521b88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhosst.exe\" .."	dllhosst.exe

Drops file in Program Files directory 64 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com

Drops file in Windows directory 9 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exebfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exeserver.exenj7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	nj7.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

dllhosst.exe

description	pid	process
Token: SeDebugPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe
Token: 33	2072	dllhosst.exe
Token: SeIncBasePriorityPrivilege	2072	dllhosst.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exebfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exesvchost.comsvchost.comserver.exesvchost.comnj7.exesvchost.comdllhosst.exe

description	pid	process	target process
PID 4864 wrote to memory of 1584	4864	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 4864 wrote to memory of 1584	4864	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 4864 wrote to memory of 1584	4864	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
PID 1584 wrote to memory of 1408	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1584 wrote to memory of 1408	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1584 wrote to memory of 1408	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	WScript.exe
PID 1584 wrote to memory of 2420	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1584 wrote to memory of 2420	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1584 wrote to memory of 2420	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 2420 wrote to memory of 852	2420	svchost.com	nj7.exe
PID 2420 wrote to memory of 852	2420	svchost.com	nj7.exe
PID 2420 wrote to memory of 852	2420	svchost.com	nj7.exe
PID 1584 wrote to memory of 3272	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1584 wrote to memory of 3272	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 1584 wrote to memory of 3272	1584	bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe	svchost.com
PID 3272 wrote to memory of 3192	3272	svchost.com	server.exe
PID 3272 wrote to memory of 3192	3272	svchost.com	server.exe
PID 3272 wrote to memory of 3192	3272	svchost.com	server.exe
PID 3192 wrote to memory of 4448	3192	server.exe	svchost.com
PID 3192 wrote to memory of 4448	3192	server.exe	svchost.com
PID 3192 wrote to memory of 4448	3192	server.exe	svchost.com
PID 4448 wrote to memory of 3112	4448	svchost.com	CHROME~1.EXE
PID 4448 wrote to memory of 3112	4448	svchost.com	CHROME~1.EXE
PID 4448 wrote to memory of 3112	4448	svchost.com	CHROME~1.EXE
PID 852 wrote to memory of 3384	852	nj7.exe	svchost.com
PID 852 wrote to memory of 3384	852	nj7.exe	svchost.com
PID 852 wrote to memory of 3384	852	nj7.exe	svchost.com
PID 3384 wrote to memory of 2072	3384	svchost.com	dllhosst.exe
PID 3384 wrote to memory of 2072	3384	svchost.com	dllhosst.exe
PID 3384 wrote to memory of 2072	3384	svchost.com	dllhosst.exe
PID 2072 wrote to memory of 3484	2072	dllhosst.exe	netsh.exe
PID 2072 wrote to memory of 3484	2072	dllhosst.exe	netsh.exe
PID 2072 wrote to memory of 3484	2072	dllhosst.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
"C:\Users\Admin\AppData\Local\Temp\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\nj7.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\nj7.exe
C:\Users\Admin\AppData\Local\Temp\nj7.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\dllhosst.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\dllhosst.exe
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dllhosst.exe" "dllhosst.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:3484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\server.exe
C:\Users\Admin\AppData\Local\Temp\server.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE
C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE
3⤵
- Executes dropped EXE
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.5MB

MD5
316cf123fc3021e85e4a3cb3d703e83e

SHA1
0bc76376a2ee11616aacfe6284acb94bcb23c62d

SHA256
9b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e

SHA512
ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
3ad3461ef1d630f38ed3749838bbedc3

SHA1
8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6

SHA256
32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62

SHA512
0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

Filesize
982KB

MD5
4e8c731e3175d6d2f5085fe55974e1db

SHA1
74604823bd1e5af86d66e4986c1203f2bf26e657

SHA256
8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

SHA512
a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE

Filesize
217KB

MD5
ad0efa1df844814c2e8ddc188cb0e3b5

SHA1
b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab

SHA256
c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a

SHA512
532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE

Filesize
191KB

MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
231KB

MD5
2a226fd810c5ce7b825ff7982bc22a0b

SHA1
58be5cb790336a8e751e91b1702a87fc0521a1d8

SHA256
af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132

SHA512
f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE

Filesize
287KB

MD5
3187a65469cf0bee0e5c66af3afee773

SHA1
c4155263eb60eaac6d4b8960b7a6e1f064c1c4fd

SHA256
cd67f379ef3747dabc72e0a3b6fe73cdcb7e59b5b716b84497c9d44675ec34f4

SHA512
6e57f69cce1de4ab2a45a16437bee784ad7c21f5ef422350c5a6e8cf1aa5003f9dd41deb1fbc5779a29786f49552b05354e0891ae3acaa979414e6338c8f270f

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE

Filesize
1.6MB

MD5
a4d308107be49da360818206ff7193c0

SHA1
63cc2a56cf0db6d29b8eddb841a46b6fe1202241

SHA256
d54657ee56a03c905b6a5fb3f0966149145d1c66785b1e75bb3225d8e2ded07b

SHA512
5433e694b3a7e280ed8ad10d8dfaf7d7dae47db79c40e43d9f508059f1195364d9ffe6b587696f52908f7a9340042c17f7addae80a05bcd72359476e87ab813d

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
279KB

MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
e7cb97d01823a28baacd143bb69763d2

SHA1
57da05e51e99c57dc15315c01e45b6e449ad5683

SHA256
6b17d37bd79d02073875cf70964db625439d986de43c6e30d4aeb6934628eed5

SHA512
645c0dac58b8db7631453d3f0b2857724b3e192fddce63fd64d55f6bd7bc39501670b00ea1af8f4642dbc167897dd4ccc8a5cdb18a0587b49d5c8883d669d45d

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
7a36ae2055dc8aa5791f86a0583197b4

SHA1
deade87912580a5386096768f569781a92dbb9d4

SHA256
64d1449187d26e3b769300335ed0fc5d31e2a2ee2264774ea9da2c396a6d8328

SHA512
e042b3338617366afa3bbcd0f589f632a63567149b78172acb16524b6c488c10649578416f992146b70506fc55f3a9a79624bb87aac21fa80658afc5b5693680

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.vbs

Filesize
13KB

MD5
e9c8efcf6823bdfb953fecf8d024953d

SHA1
2b19ced121cde60c3d4f56318fb5fd39cdff713c

SHA256
7ed4457fb7b013201ac170705d38085373b40621bd708dd6be2e40428b378ae2

SHA512
e3b2bd57e3f248bd07f3d9b19a1bc6b2a0d7310863f47af1ff82aab08a5351ba783229443ff2e7ead8a44649563741c80a9a44b3c46c8a1e5fbc643f6c09d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Filesize
76KB

MD5
4c66f44d49fbe99324009742575eddc3

SHA1
3b289ac7714e0093316ea439519940f67246aa31

SHA256
6a0caeb86e94e5d0b6a81f7bbb527ba3aee6a28f8703e411cfdcc58a8cdecd9d

SHA512
c6143d187a7b4e487ef51547db870a576a545c990e4746311724df119c09438ff25160e9021be961cd72161ddcb0170218784d7bbcd1362089e04085dd1c6e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bfa88d05d2d9d73b13c25ff8b9040f5093b8caaafdb7ee41cfae880104280aff.exe

Filesize
76KB

MD5
4c66f44d49fbe99324009742575eddc3

SHA1
3b289ac7714e0093316ea439519940f67246aa31

SHA256
6a0caeb86e94e5d0b6a81f7bbb527ba3aee6a28f8703e411cfdcc58a8cdecd9d

SHA512
c6143d187a7b4e487ef51547db870a576a545c990e4746311724df119c09438ff25160e9021be961cd72161ddcb0170218784d7bbcd1362089e04085dd1c6e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME~1.EXE

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome123.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhosst.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nj7.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nj7.exe

Filesize
23KB

MD5
f0555167dd95f465ea130463d61fd1e0

SHA1
31065e91646b86e3947ef74e838bfb299227b8ac

SHA256
1985563b022180572f58a8f11164b95310463cff012812e6545fc54b389e8072

SHA512
e0e9febd817a439fcca2e7b36620aea713047395cc95371d8ae756f45acac7b4ffbaa7955f09b48a017c68c2a8be362211c67a7b8496fd0685a37df78b673ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
29KB

MD5
b6aa0267b0fa5bb5b7f1ff111ff83e14

SHA1
c13b6428cfbe3745bbde215cf885c08326ecf26d

SHA256
d9f7c282b7555b959daca205f29ba949fccefebe4ff2d182574ba59149f93229

SHA512
4c8902da2cd60c54919fdb1ef2057b9138b555d3762cab93a5870d5b9fa44515c260cd5356454496bd262268a3d48bccd48498bc8a5fc5d1beaf89b12df5835e

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
3e8cab484ae33dffd3bde1b23801c209

SHA1
0a73d311ac5f2d1a835d50995026750944ec9ff0

SHA256
80a758e8bcb71a6204cd86b7090ba040542b4841874db1bcdfc753abd9a449f0

SHA512
a6f829c39bbe9a30b067a940ce435c3168f6e4f33589c6c8f2d2287921bdab4fde2d9caca50d4be633d3270cfd1563568b0c1be399dee4cd5d446f0400ab3a1e

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
3b21c2c4e413b577c7523593f33f5935

SHA1
8d4e51f9d8af7ae7c2c8ef442353acfdac7d63a8

SHA256
d8355076b4ae2bef5ca6f5165595f3214908d6886a4a7028d014725419c77451

SHA512
4d1f20b956a120665ca1fc868d3965a212a61516b4dbb03c0636e08b8ac567d4595fcfbfbf6642714392e97cf2e2c784e8a99eb748c1c1d99aacb88e75dafcab

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
268b6b7439beb9155896852f216f371b

SHA1
ccaa6b3cd752ad0fc0aed419345c5628e70269a6

SHA256
8ce8d90ffc7e758fa2e0ca36337a57d5cde7d00dc6d8f8f0c6268156696abd25

SHA512
98769abf385f3f85f53fc9cefa858aaabdf7417b26b3d754f0a541607f819224b4ac60e6f845ce819e440cfbf4a9316f769e75d2819ab1b7aefa6d29d2215967

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/852-157-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/852-181-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/852-141-0x0000000000000000-mapping.dmp

Download
memory/1408-135-0x0000000000000000-mapping.dmp

Download
memory/1584-132-0x0000000000000000-mapping.dmp

Download
memory/2072-180-0x0000000000000000-mapping.dmp

Download
memory/2072-183-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/2072-193-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/2420-136-0x0000000000000000-mapping.dmp

Download
memory/3112-154-0x0000000000000000-mapping.dmp

Download
memory/3112-158-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/3192-147-0x0000000000000000-mapping.dmp

Download
memory/3192-156-0x0000000073D00000-0x00000000742B1000-memory.dmp

Filesize
5.7MB

Download
memory/3272-142-0x0000000000000000-mapping.dmp

Download
memory/3384-176-0x0000000000000000-mapping.dmp

Download
memory/3484-192-0x0000000000000000-mapping.dmp

Download
memory/4448-150-0x0000000000000000-mapping.dmp

Download