neshta | b01cccb830d97e6b2c9eef1eee84993dfda404fb5a7c9bcdd95d9d3f25f0cfe9

Analysis

max time kernel
123s
max time network
255s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-02-2025 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NL ORG - MasterRDP.zip
Size

2.5MB
MD5

833a2f56f35ae582bdfbf49f265dcfc3
SHA1

bf063ddebf6c1429114a0db80c64e0dba3d655a2
SHA256

b01cccb830d97e6b2c9eef1eee84993dfda404fb5a7c9bcdd95d9d3f25f0cfe9
SHA512

36f728dc7c92d211915b08ded55e1973da500b99a0b29842bec91a2f74ea3c520db0342a5fbad46d89e8a5a2ddf56c3e0bd83a3dd207a49582b71128b6ec64bc
SSDEEP

49152:XH/Jev9V1ZFPsXkERNkamWmLxm6HwurcU4pEyfagxbybJeQdthmLcpoYK8e7GB78:BiZFePNkjW0xdwC3K7Co2JltRGF8dVVK

Score

10^/10

neshta defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d50-5.dat	family_neshta
behavioral1/files/0x0007000000010348-14.dat	family_neshta
behavioral1/memory/2988-122-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2988-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0007000000016e74-126.dat	family_neshta
behavioral1/memory/316-134-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 3 IoCs

pid	Process
2988	Keygen.exe
1004	Keygen.exe
316	svchost.com

Loads dropped DLL 2 IoCs

pid	Process
2988	Keygen.exe
2988	Keygen.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Keygen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
2556	verclsid.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1004	Keygen.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Keygen.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Keygen.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Keygen.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	Keygen.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Keygen.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Keygen.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Keygen.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1004	Keygen.exe
1004	Keygen.exe
680	chrome.exe
680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2532	7zG.exe
Token: 35	2532	7zG.exe
Token: SeSecurityPrivilege	2532	7zG.exe
Token: SeSecurityPrivilege	2532	7zG.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2532	7zG.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe
680	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1004	2988	Keygen.exe	36
PID 2988 wrote to memory of 1004	2988	Keygen.exe	36
PID 2988 wrote to memory of 1004	2988	Keygen.exe	36
PID 2988 wrote to memory of 1004	2988	Keygen.exe	36
PID 316 wrote to memory of 680	316	svchost.com	39
PID 316 wrote to memory of 680	316	svchost.com	39
PID 316 wrote to memory of 680	316	svchost.com	39
PID 316 wrote to memory of 680	316	svchost.com	39
PID 680 wrote to memory of 392	680	chrome.exe	40
PID 680 wrote to memory of 392	680	chrome.exe	40
PID 680 wrote to memory of 392	680	chrome.exe	40
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 1096	680	chrome.exe	42
PID 680 wrote to memory of 2268	680	chrome.exe	43
PID 680 wrote to memory of 2268	680	chrome.exe	43
PID 680 wrote to memory of 2268	680	chrome.exe	43
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44
PID 680 wrote to memory of 2292	680	chrome.exe	44

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP.zip"
1⤵
PID:1784

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:2556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\" -spe -an -ai#7zMap10774:116:7zEvent2435
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\hwid.txt
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\Keygen.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\3582-490\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Keygen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6349758,0x7fef6349768,0x7fef6349778
    3⤵
    PID:392
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:2
    3⤵
    PID:1096
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:2268
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:2292
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:2884
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:2516
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:2
    3⤵
    PID:1532
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2952 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:2056
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3056 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:2000
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:2704
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:480
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:1216
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:556
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3648 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:1412
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2252 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:1644
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1132 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:2404
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1684 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:2920
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1384 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:1152
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2712 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:1
    3⤵
    PID:2768
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 --field-trial-handle=1268,i,18101201233126847197,5935997193705367783,131072 /prefetch:8
    3⤵
    PID:1512

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\key.txt
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35aeec809b85f505acac0e97fc717980

SHA1
8748c78c61b317c9cf9a43173992233277fc5ad8

SHA256
2f158a14c5f8a1dcedf179aee2b77a213940ef496f5f6a879b977856bb3b49ec

SHA512
8ce6a9546d5684b3d452e6c1b1e094dcce7e4e63fc6f841358259a37d60431b9495d2863dd399af127852ce027f9262246658bcb1b6192680443b91ae81b129c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
9450873bdd1d6649a17cdd22c70ee9ad

SHA1
9ad6015d63dc08ecdb7267562d45364a6fec5dd9

SHA256
554d54c310e4594214a48053fd0cc0a4c298dbcfaa94a2131c7e7c019af89e65

SHA512
90f41c6b24f06959bd09d8c0016ff7fbfa491d710f9b9cdf1f28a71444aaa7a74bf4c3a5464831da27b0d2e4f25b27a2a6f022252266a1611f6dd44b14cad68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
356aa0f10d935d849f69f55d54ce957f

SHA1
90d4bfb094cefac8e8301b3248f8cec4ef9b0f5a

SHA256
d17df571fef8a40d2adfbfa40f662e5b02c46b7e3ab38cdbd564bf2935373b35

SHA512
44722fdcf530c5b607e2f086eb1bb7253d6b44c89a7846dd97c865fc5c53b3a202c97aa6dd35d4663bcefa7560d1f05a2da253e085f07a971a9fe98e34c9091d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
ad2c86ceee7da92b7ac8673e11e1f086

SHA1
508641c560c8f883d5f6c8ee9dc6b719293fa338

SHA256
0c0fdb756ff86cd29ebb7808a3c86382a397b78abaae516c5c072b77b51cbf02

SHA512
35758c7ad33bd5fae4176a3a33a456739505a8c1176e2526a5e048d8bbe9b44c57b853871a88ca8662f69ca924b91ad275473aa9cea1d855345a00adc610f021

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
ac4d44b747c0188545e5cba6c43542bf

SHA1
e056869afe6dbbfe1ac90457c12b15f5b911b8c5

SHA256
daf1e3a3e51522da423629db3df67f0b7c41d3370d5130a622338be0e6fe3c64

SHA512
869ead92447ea45da8c9ee460b52e488fef0ab7d6edd107f3260fd7ce19ace933797c3ceef474123bdfd9c3335aab246115c4d97ef7b96ffa92dbdbb9dbe96e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6ba1a493c1e30531c31822937d1fb0e6

SHA1
9fe683706ae5ed8989398030f56bb65f2331eea4

SHA256
463684ec7725b711a71437bb5b2cd6af5e104a0638adf856ca1d16b711258fc2

SHA512
33c6969a71fae23a962400320dee2b14032bf93c7cf26821f920bb54797b2509b095bf7df0fbbae991ce2fe66d84b07917bd1b63bbc92cc0a30b5cbb00c8d32b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
df7c738d727a190e09fda6068b637b4a

SHA1
55f6c608054d7bdd775aabdeee4a19a6bfd80433

SHA256
d4332adb87480158e1f69dbcad0f6f0ccab0ca86aecb9ef42afb2a9ec1a3cc01

SHA512
ac8fed911873313a59dd507f96d497c6db92f2483a3928e0eb667e60634c6f5613d31ae03ca33549257dc1bfd8387484123b1eb4db269c97a33081ea23368e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
9c24b2b4e431210466e613901896e9ba

SHA1
5b6e4a1deeaf1e67efa9b9b226477db65a051db8

SHA256
92a7d0a875c6ec910a8562fd6ed232823b3ff8579d79176579756045c4122c3f

SHA512
a80ee4cc0a83bf191b049d5e04abd8f35e7ef7259b62e55ebf7d90c727c98cd411b895318e6cd7e9a0a00b59cb423fd8501ccf8cc1bf73c9eda0a5fa5f304f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
ca9074d52a913e8e00650c2a39763f47

SHA1
773af484af57a66c7cf37b3b8767095395f1b3e5

SHA256
f209573bb9cd824d63eb6e50dc1feb6df686a150adc7408480a2994e5827e766

SHA512
2c1f2198bcd614891c2cfca0ffb3fce75653f68ac270754ae09f48b92190e82aa21d35b431f7054767a1593c9a44ee613ca64e59ed62b585930cee28930319d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
c24f764ae619587049e13ff77bd8d047

SHA1
cce1a87acdbb1c2c1232c78d5039d7c90a61ba53

SHA256
e27a724af01771378f64ecce9eb4bf3668b43a37363b55fdfe5faacac673c475

SHA512
d0378081a72e9ebb4f35f38579fa89c0e00edb4ccb7397896ab418e95161177773c5760ad3d2b20d804a64a8d9f9bc5adcb30898d591e3d202132fff2f365bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d7e3f2c79cb53c46d6aa1b2830e55da0

SHA1
4e587ae82715d611be3738544addf3017004b68c

SHA256
5fd0403177244a62199e1fb9d1e2df7ad13e1bda143614cfd7079b82b4772af0

SHA512
2bc4344a9fe5e93299f6360116505f17542c7ea72caf95fcafafc0c3a3752573473910f182f27a6cfb48b00f4b2a9866dc50998e3df25bbba5330767fcabb70d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0f179629f9f0308d3a1429930cbea38f

SHA1
a220fcb4f48b95803fcad43b06c12c9bd04040f5

SHA256
ad75529f55d84c3ee8578e41890b9648962a24ec13bce76f9ec8d405bbe90894

SHA512
ba7aa749dc14e2cbd2bc2dbf88827bda10c49335d3911689a2ae894e79117fb380da8b37d258f559f1dab94678dc548266d3b533faf8b4e76edf3622b5fdc80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
62417de602a9210d0b3863fa8c764f76

SHA1
1e91012a61cf919c15b863d2967aa04f63e2f710

SHA256
075fdef560352308baceacd96d56a98a9e0633fb9a1ba069e0f9822385497a46

SHA512
d64ae51b2268c6ac8a50108dc06d40a6278ab6df3c602d168bd360ae08852ebf99ff27f65fa7224c94a372ad21b4d0d9e80047e4c5312d93950e56a006a7ddcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
46f41be6029e42df20501ad64bed486c

SHA1
f5f6297cfe24bd14a2df23cd3ade0b08f4b816e2

SHA256
db8ff4b067b1949769277be8f26a1f1e49b12c9f307e2ccc52ca9df4e5c29293

SHA512
81f1d8fbdd1a890ecffc86b590194e2aaa563264a1a9786e9e6dbee3332253d81b383d76e7335dcb0ee01d3b0c85062e31bd49900b5df00e29afc897bc52f3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4EC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\Keygen.exe

Filesize
2.5MB

MD5
e72838eccda2eae29e96b0c572d783c3

SHA1
60f0944ecbd21cf590445c12ba89a2ae48f27a6a

SHA256
f824fdc666630ccb179d9086b79783e3ede76e4392a5edfdd20d93b7259ae061

SHA512
7439902a4f16d29dcc4c749adc40f4541d509e607d915287c6c98f609ef14c4eb99ec507d7e7c853527a6c08628a367b21ae0f066828c2cc8792f2c1a3fa77f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\hwid.txt

Filesize
30B

MD5
176020524977fb97984c11943aa3eb74

SHA1
88a660278419651e8f41eeb87d2c49e151e54cb0

SHA256
6efb134afe31abbb69f646086ab9470a8d7d488818c8e43ac64e85c54ff033d1

SHA512
41eec255cee7faf56e555d0f2e31f48bf59077f42c7843fd189034f9dab7f5a71408aee363661801b9ac654150562cbc419811df898d99a8f7a1d88446641e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NL ORG - MasterRDP\key.txt

Filesize
512B

MD5
f9a616398e5b7748fe2aeffeaeb16d6f

SHA1
b71f7379be065f6b597faae68d723aa7e9269ade

SHA256
17b66851d67efb80b0cdc634470cb84738df9a6df8ef13894d8c0d0ec2e1e455

SHA512
d2380cc56096a068897ca1f285ac21a3add91b7ca152e0bf0265f23f1bf03b5d5698f953742d1ae0f5e9cc0b503571243e8b2ac0c4429c28780f854f70ef3e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD6F3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
ee9c524a5e8b12aac721867ad529bbdf

SHA1
c867ec4bcc93c72ad657d62a1dc6a9a0b3f7e312

SHA256
7b2072c233bf110d9dee44a7d4217bb0639ae3a44be774691db8f8b60267ef28

SHA512
b688a08130ac43d52105afb149a6c1dd154600d09c9f6a1442c80da3fd109ec27618fec203f408a4399f91293660899473f804ea242c1e658eae673deb8f7e12

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Keygen.exe

Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
memory/316-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1004-29-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-27-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-42-0x00000000036F0000-0x0000000003802000-memory.dmp

Filesize
1.1MB

Download
memory/1004-35-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-19-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/1004-48-0x0000000000300000-0x00000000003D6000-memory.dmp

Filesize
856KB

Download
memory/1004-44-0x0000000000300000-0x00000000003D6000-memory.dmp

Filesize
856KB

Download
memory/1004-37-0x00000000036F0000-0x0000000003802000-memory.dmp

Filesize
1.1MB

Download
memory/1004-125-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/1004-21-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-31-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-33-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-23-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1004-25-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1096-135-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1096-165-0x00000000773A0000-0x00000000773A1000-memory.dmp

Filesize
4KB

Download
memory/2988-17-0x0000000002C90000-0x00000000043CC000-memory.dmp

Filesize
23.2MB

Download
memory/2988-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download