Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14-03-2023 06:26
Static task
static1
Behavioral task
behavioral1
Sample
902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe
Resource
win7-20230220-en
General
-
Target
902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe
-
Size
726KB
-
MD5
72c37e7b272b24d47d59d7b269e7a56e
-
SHA1
b3d9fbc7bd64ead22b08429a6222f172ea288a88
-
SHA256
902097f4ec380243ed8f72d31297f81c9e99495a66d0bfb550fcdc753b7590c4
-
SHA512
0c0592b3aaceaf4df444bfaad8c356ac02b894df62c3acd5579a2e94d8dd41b314358c888ecc459139e137688df27d48e4632f92987129fc8dc1f4ac7f3e360e
-
SSDEEP
12288:PToPWBv/cpGrU3ywnmKUxBxOC+kye9SI4zJEeG5KI2YtWyBAV:PTbBv5rUXmKoaC+fzGemKI2qc
Malware Config
Extracted
njrat
0.7d
HacKed
Ni50Y3AuZXUubmdyb2suaW8Strik:MTA3MTI=
9dd06b690cd90c449e471e22f62d779d
-
reg_key
9dd06b690cd90c449e471e22f62d779d
-
splitter
|'|'|
Signatures
-
Detect Neshta payload 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Server.exe family_neshta \Users\Admin\AppData\Local\Temp\Server.exe family_neshta \Users\Admin\AppData\Local\Temp\Server.exe family_neshta C:\Users\Admin\AppData\Local\Temp\Server.exe family_neshta \Users\Admin\AppData\Local\Temp\Server.exe family_neshta C:\Users\Admin\AppData\Local\Temp\Server.exe family_neshta C:\Users\Admin\AppData\Local\Temp\Server.exe family_neshta behavioral1/memory/1828-198-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1828-201-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1828-204-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe" Trojan.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe Server.exe -
Executes dropped EXE 4 IoCs
Processes:
Desktop.exeServer.exeTrojan.exeServer.exepid process 268 Desktop.exe 1828 Server.exe 1444 Trojan.exe 340 Server.exe -
Loads dropped DLL 11 IoCs
Processes:
cmd.exeDesktop.exeServer.exepid process 1100 cmd.exe 268 Desktop.exe 268 Desktop.exe 268 Desktop.exe 268 Desktop.exe 268 Desktop.exe 268 Desktop.exe 268 Desktop.exe 1828 Server.exe 1828 Server.exe 1828 Server.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Server.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Trojan.exe upx \Users\Admin\AppData\Local\Temp\Trojan.exe upx \Users\Admin\AppData\Local\Temp\Trojan.exe upx C:\Users\Admin\AppData\Local\Temp\Trojan.exe upx C:\Users\Admin\AppData\Local\Temp\Trojan.exe upx behavioral1/memory/1444-123-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral1/memory/1444-199-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral1/memory/1444-205-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral1/memory/1444-209-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral1/memory/1444-216-0x0000000000400000-0x0000000000480000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Trojan.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe" Trojan.exe -
Drops file in System32 directory 1 IoCs
Processes:
Server.exedescription ioc process File created C:\Windows\SysWOW64\Explorer.exe Server.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE Server.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe Server.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE Server.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe Server.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE Server.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE Server.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE Server.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe Server.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE Server.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE Server.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe Server.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE Server.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe Server.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE Server.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe Server.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE Server.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE Server.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE Server.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Server.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe Server.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE Server.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe Server.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE Server.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe Server.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE Server.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE Server.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE Server.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe Server.exe -
Drops file in Windows directory 1 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Windows\svchost.com Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Trojan.exepid process 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Server.exepid process 340 Server.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Trojan.exepid process 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe 1444 Trojan.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
902097F4EC380243ED8F72D31297F81C9E99495A66D0B.execmd.exeDesktop.exeServer.exeServer.exedescription pid process target process PID 1136 wrote to memory of 1100 1136 902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe cmd.exe PID 1136 wrote to memory of 1100 1136 902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe cmd.exe PID 1136 wrote to memory of 1100 1136 902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe cmd.exe PID 1136 wrote to memory of 1100 1136 902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe cmd.exe PID 1100 wrote to memory of 268 1100 cmd.exe Desktop.exe PID 1100 wrote to memory of 268 1100 cmd.exe Desktop.exe PID 1100 wrote to memory of 268 1100 cmd.exe Desktop.exe PID 1100 wrote to memory of 268 1100 cmd.exe Desktop.exe PID 268 wrote to memory of 1828 268 Desktop.exe Server.exe PID 268 wrote to memory of 1828 268 Desktop.exe Server.exe PID 268 wrote to memory of 1828 268 Desktop.exe Server.exe PID 268 wrote to memory of 1828 268 Desktop.exe Server.exe PID 268 wrote to memory of 1444 268 Desktop.exe Trojan.exe PID 268 wrote to memory of 1444 268 Desktop.exe Trojan.exe PID 268 wrote to memory of 1444 268 Desktop.exe Trojan.exe PID 268 wrote to memory of 1444 268 Desktop.exe Trojan.exe PID 1828 wrote to memory of 340 1828 Server.exe Server.exe PID 1828 wrote to memory of 340 1828 Server.exe Server.exe PID 1828 wrote to memory of 340 1828 Server.exe Server.exe PID 1828 wrote to memory of 340 1828 Server.exe Server.exe PID 340 wrote to memory of 600 340 Server.exe netsh.exe PID 340 wrote to memory of 600 340 Server.exe netsh.exe PID 340 wrote to memory of 600 340 Server.exe netsh.exe PID 340 wrote to memory of 600 340 Server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe"C:\Users\Admin\AppData\Local\Temp\902097F4EC380243ED8F72D31297F81C9E99495A66D0B.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\111.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeDesktop.exe -p1122333⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exe" "Server.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\111.batFilesize
37B
MD5994e9a9fe5fa30692b87870dd13fc44e
SHA1d7ddee92720ae22f292be010fb05e59084a0c7d0
SHA256ead19bebff360ad750f7615c93d16d191b6ea841db1280e1063dbf1c37143462
SHA51220d61c201e72d385db988debb023a03ed245dc75c9df019e8928dcfe6a1e052a4b837a50e9da62af802c82259dae1d28a9f2ffec23e344f9a648b0dc9da07e71
-
C:\Users\Admin\AppData\Local\Temp\111.batFilesize
37B
MD5994e9a9fe5fa30692b87870dd13fc44e
SHA1d7ddee92720ae22f292be010fb05e59084a0c7d0
SHA256ead19bebff360ad750f7615c93d16d191b6ea841db1280e1063dbf1c37143462
SHA51220d61c201e72d385db988debb023a03ed245dc75c9df019e8928dcfe6a1e052a4b837a50e9da62af802c82259dae1d28a9f2ffec23e344f9a648b0dc9da07e71
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exeFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exeFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Server.exeFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeFilesize
530KB
MD5070ffb07fcc3bfacf5d10c1167c04ebd
SHA106409f442c336b7ff8f5f89d10dc004834e2b58d
SHA2562a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4
SHA5120f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exeFilesize
530KB
MD5070ffb07fcc3bfacf5d10c1167c04ebd
SHA106409f442c336b7ff8f5f89d10dc004834e2b58d
SHA2562a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4
SHA5120f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
191KB
MD5cbf03e76dd374d72d6c9ebaa91fa57fd
SHA1cfdcdb57f2b8c94e8b444ad27060ed9361274047
SHA256f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554
SHA51256e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
191KB
MD5cbf03e76dd374d72d6c9ebaa91fa57fd
SHA1cfdcdb57f2b8c94e8b444ad27060ed9361274047
SHA256f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554
SHA51256e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.EXEFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\Server.exeFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
\Users\Admin\AppData\Local\Temp\3582-490\Server.exeFilesize
93KB
MD535211dce668b1a3f17aa7ff35d002954
SHA1a0a67c344cae646e02aa152bc1f3ae50066ebe57
SHA25660064d93898e8228a90d538e44610b43c44a67d523feacb55691735853541d3a
SHA5129ca5cdf8c52b9dc12fa02ae37893d2271dd6605bb1a9df8481a2cb12ded1caf0139f045d6c9c90babc58cd6515deed436694c4a6ab899cbaa1fd5ada4d489c56
-
\Users\Admin\AppData\Local\Temp\Desktop.exeFilesize
530KB
MD5070ffb07fcc3bfacf5d10c1167c04ebd
SHA106409f442c336b7ff8f5f89d10dc004834e2b58d
SHA2562a9ae2ae3629bebaa441c6cf63c34ed1a0c515bbcbf0051cc2d369d80d0656e4
SHA5120f1cc0fd43ebd817632192b8265f1ec5d5bfa96833e239cb2f6475e371d09b72a8b971d0fecab81d96540ce1f11f0f0db8b5069ac335a09160383f8284380c6b
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
\Users\Admin\AppData\Local\Temp\Server.exeFilesize
133KB
MD544affd0d82f9b8ef809053dba991a14a
SHA1e63398e4b374ffc20a0d3fea78dac657bd49f6de
SHA256d05edda2b7c085bbed3d5be4ba7b0dc00e807dfdcdcb67a30c9e24f96fed857b
SHA512703a8da05add8c126f1b95808226021d572156b3b5e1ef7f2da0414535ec40953cd3656f060faba40c62811aa2189d396e130bcfccc42bc9b116ff2e3d96d049
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
191KB
MD5cbf03e76dd374d72d6c9ebaa91fa57fd
SHA1cfdcdb57f2b8c94e8b444ad27060ed9361274047
SHA256f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554
SHA51256e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
191KB
MD5cbf03e76dd374d72d6c9ebaa91fa57fd
SHA1cfdcdb57f2b8c94e8b444ad27060ed9361274047
SHA256f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554
SHA51256e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062
-
\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
191KB
MD5cbf03e76dd374d72d6c9ebaa91fa57fd
SHA1cfdcdb57f2b8c94e8b444ad27060ed9361274047
SHA256f65d32dd4fb43fc87d7ef442add87f058a52ff89702d76eae08d2c406a6fb554
SHA51256e4fe29e1dd6fd48c2e17a72961a36cdf8b352c0c453fbeb5959368bacfa69fa2c5339c0a5d674973f82a0cb75470a44e3b1acce9afe92bd5a0c2ddce190062
-
memory/340-122-0x00000000002E0000-0x0000000000320000-memory.dmpFilesize
256KB
-
memory/340-200-0x00000000002E0000-0x0000000000320000-memory.dmpFilesize
256KB
-
memory/1444-121-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1444-199-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1444-123-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1444-205-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1444-209-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1444-216-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1828-198-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1828-201-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1828-204-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB