Malware Analysis Report

2025-08-10 19:45

Sample ID 240131-mltvaacaej
Target 842ec0c5a3afcd6408899edf7d65c601
SHA256 a275f7e23c00c4e67adedc5ff76270984adcf0a8b0affd7b8e7c3690bcc37164
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a275f7e23c00c4e67adedc5ff76270984adcf0a8b0affd7b8e7c3690bcc37164

Threat Level: Known bad

The file 842ec0c5a3afcd6408899edf7d65c601 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

ModiLoader Second Stage

Executes dropped EXE

Deletes itself

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 10:33

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 10:33

Reported

2024-01-31 10:36

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Favorites\netservice.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Favorites\netservice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 3976 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 2384 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe

"C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

C:\Users\Admin\Favorites\netservice.exe

C:\Users\Admin\Favorites\netservice.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2384 -ip 2384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 956

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 xxmnb.dnscq.cn udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

memory/3976-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\Favorites\netservice.exe

MD5 842ec0c5a3afcd6408899edf7d65c601
SHA1 dc2d8a2f75af40490f7f366a1b45d6df969b69a7
SHA256 a275f7e23c00c4e67adedc5ff76270984adcf0a8b0affd7b8e7c3690bcc37164
SHA512 a04697db0306316e96587a307bd60087a9dbae6680b69421f6c3d55021d7de0aa4dc444b82776afe7d4e54de3f7d4a0a5b24022f4d0f4548a80e0c188590f997

memory/3976-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2384-7-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2384-8-0x0000000000560000-0x0000000000561000-memory.dmp

memory/3976-23-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4640-49-0x0000000010410000-0x0000000010465000-memory.dmp

memory/2384-52-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2384-53-0x0000000010410000-0x0000000010465000-memory.dmp

memory/2384-54-0x0000000010410000-0x0000000010465000-memory.dmp

memory/2384-55-0x0000000010410000-0x0000000010465000-memory.dmp

memory/2384-57-0x0000000010410000-0x0000000010465000-memory.dmp

memory/4640-58-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2384-59-0x0000000010410000-0x0000000010465000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 10:33

Reported

2024-01-31 10:36

Platform

win7-20231215-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Favorites\netservice.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Favorites\netservice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe
PID 2232 wrote to memory of 2508 N/A C:\Users\Admin\Favorites\netservice.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe

"C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

C:\Users\Admin\Favorites\netservice.exe

C:\Users\Admin\Favorites\netservice.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Local\Temp\842ec0c5a3afcd6408899edf7d65c601.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xxmnb.dnscq.cn udp

Files

C:\Users\Admin\Favorites\netservice.exe

MD5 842ec0c5a3afcd6408899edf7d65c601
SHA1 dc2d8a2f75af40490f7f366a1b45d6df969b69a7
SHA256 a275f7e23c00c4e67adedc5ff76270984adcf0a8b0affd7b8e7c3690bcc37164
SHA512 a04697db0306316e96587a307bd60087a9dbae6680b69421f6c3d55021d7de0aa4dc444b82776afe7d4e54de3f7d4a0a5b24022f4d0f4548a80e0c188590f997

memory/2252-3-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2508-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2508-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2508-5-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2508-214-0x0000000010410000-0x0000000010465000-memory.dmp

memory/2508-232-0x0000000010410000-0x0000000010465000-memory.dmp