bitrat | hxxps://gofile[.]io/d/fLmWrY

Analysis

max time kernel
161s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/fLmWrY

Score

10^/10

bitrat neshta persistence spyware stealer trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

158.58.168.61:1337

Attributes

communication_password
2fdbb4b27758a54f27d8f8cbb485787b
install_dir
system32
install_file
Windows Update.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect Neshta payload 52 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
behavioral1/memory/3444-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral1/memory/5952-322-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	family_neshta
behavioral1/memory/3444-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	family_neshta
behavioral1/memory/4728-350-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3444-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4292-405-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2944-406-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1452-433-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4988-477-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4868-478-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4404-496-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/5748-502-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/5660-525-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3228-568-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3140-569-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exekeygen[pc-ret].exesvchost.exekeygen[pc-ret].exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	keygen[pc-ret].exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	keygen[pc-ret].exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 27 IoCs

Processes:

keygen[pc-ret].exekeygen[pc-ret].exesvchost.exesvchost.comsvchost.comWINDOW~1.EXEsvchost.exesvchost.exesvchost.comWINDOW~1.EXEsvchost.comsvchost.exesvchost.comsvchost.exesvchost.comWINDOW~1.EXEsvchost.comsvchost.exekeygen[pc-ret].exesvchost.comKEYGEN~1.EXEsvchost.comsvchost.exesvchost.comWINDOW~1.EXEsvchost.comsvchost.exe

pid	process
3444	keygen[pc-ret].exe
2064	keygen[pc-ret].exe
4000	svchost.exe
5952	svchost.com
4728	svchost.com
2804	WINDOW~1.EXE
4508	svchost.exe
5648	svchost.exe
2944	svchost.com
4120	WINDOW~1.EXE
4292	svchost.com
5692	svchost.exe
1452	svchost.com
1972	svchost.exe
4868	svchost.com
4428	WINDOW~1.EXE
4988	svchost.com
5232	svchost.exe
4404	keygen[pc-ret].exe
5748	svchost.com
5596	KEYGEN~1.EXE
5660	svchost.com
3060	svchost.exe
3140	svchost.com
4816	WINDOW~1.EXE
3228	svchost.com
5340	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

keygen[pc-ret].exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" keygen[pc-ret].exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	keygen[pc-ret].exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Update.exe	upx
behavioral1/memory/2804-304-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-351-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4120-399-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4120-409-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-411-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-410-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-419-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4428-470-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4428-481-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-482-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-487-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-512-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4816-567-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4816-572-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2804-573-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WINDOW~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe"	WINDOW~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe䌀"	WINDOW~1.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

keygen[pc-ret].exeWINDOW~1.EXEWINDOW~1.EXEWINDOW~1.EXEKEYGEN~1.EXEWINDOW~1.EXE

pid process

2064 keygen[pc-ret].exe
2804 WINDOW~1.EXE
2804 WINDOW~1.EXE
2804 WINDOW~1.EXE
2804 WINDOW~1.EXE
4120 WINDOW~1.EXE
4428 WINDOW~1.EXE
5596 KEYGEN~1.EXE
4816 WINDOW~1.EXE

pid	process
2064	keygen[pc-ret].exe
2804	WINDOW~1.EXE
2804	WINDOW~1.EXE
2804	WINDOW~1.EXE
2804	WINDOW~1.EXE
4120	WINDOW~1.EXE
4428	WINDOW~1.EXE
5596	KEYGEN~1.EXE
4816	WINDOW~1.EXE

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comkeygen[pc-ret].exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	keygen[pc-ret].exe

Drops file in Windows directory 25 IoCs

Processes:

svchost.comsvchost.comkeygen[pc-ret].exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comkeygen[pc-ret].exesvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	keygen[pc-ret].exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	keygen[pc-ret].exe
File opened for modification	C:\Windows\directx.sys	keygen[pc-ret].exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

Processes:

svchost.exekeygen[pc-ret].exesvchost.exesvchost.exesvchost.exekeygen[pc-ret].exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	keygen[pc-ret].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	keygen[pc-ret].exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	svchost.exe

NTFS ADS 2 IoCs

Processes:

WINDOW~1.EXE

description ioc process

File created C:\Users\Admin\AppData\Local:07-05-2024 WINDOW~1.EXE
File opened for modification C:\Users\Admin\AppData\Local:07-05-2024 WINDOW~1.EXE
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

5508 NOTEPAD.EXE
3076 NOTEPAD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local:07-05-2024	WINDOW~1.EXE
File opened for modification	C:\Users\Admin\AppData\Local:07-05-2024	WINDOW~1.EXE

pid	process
5508	NOTEPAD.EXE
3076	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exekeygen[pc-ret].exemsedge.exeKEYGEN~1.EXE

pid	process
5000	msedge.exe
5000	msedge.exe
1072	msedge.exe
1072	msedge.exe
2684	identity_helper.exe
2684	identity_helper.exe
1840	msedge.exe
1840	msedge.exe
2064	keygen[pc-ret].exe
2064	keygen[pc-ret].exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
5596	KEYGEN~1.EXE
5596	KEYGEN~1.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

6112 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe
1072 msedge.exe

pid	process
6112	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zFM.exeWINDOW~1.EXEWINDOW~1.EXEAUDIODG.EXEWINDOW~1.EXEWINDOW~1.EXE

description	pid	process
Token: SeRestorePrivilege	6112	7zFM.exe
Token: 35	6112	7zFM.exe
Token: SeSecurityPrivilege	6112	7zFM.exe
Token: SeShutdownPrivilege	2804	WINDOW~1.EXE
Token: SeShutdownPrivilege	4120	WINDOW~1.EXE
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: SeShutdownPrivilege	4428	WINDOW~1.EXE
Token: SeShutdownPrivilege	4816	WINDOW~1.EXE

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
6112	7zFM.exe
6112	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe
1072	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

svchost.exeWINDOW~1.EXEsvchost.exesvchost.exesvchost.exe

pid process

4508 svchost.exe
2804 WINDOW~1.EXE
2804 WINDOW~1.EXE
5692 svchost.exe
5232 svchost.exe
5340 svchost.exe

pid	process
4508	svchost.exe
2804	WINDOW~1.EXE
2804	WINDOW~1.EXE
5692	svchost.exe
5232	svchost.exe
5340	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1072 wrote to memory of 3968	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3968	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 3004	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 5000	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 5000	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe
PID 1072 wrote to memory of 4488	1072	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/fLmWrY
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbde1a46f8,0x7ffbde1a4708,0x7ffbde1a4718
2⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
2⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
2⤵
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17064916571778640827,11814781562724719998,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4004 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5516

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\a-main\NLBrute_1.2_64BIT_[svchost].rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6112

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\servers.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5508

C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe
"C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3444

C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\svchost.exe
"C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\svchost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5952

C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4728

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\svchost.exe
"C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\svchost.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944

C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4292

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548 0x53c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\servers.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1452

C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe
C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4868

C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4988

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe
"C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\KEYGEN~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5748

C:\Users\Admin\AppData\Local\Temp\3582-490\KEYGEN~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\KEYGEN~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5660

C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe
C:\Users\Admin\Desktop\NLBRUT~1.2_6\svchost.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3140

C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3228

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5340

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
558KB

MD5
15f4411f1b14234b5bed948ed78fa86e

SHA1
f9775a3d87efb22702d934322ffcda3511b79c17

SHA256
cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e

SHA512
c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
773KB

MD5
e7a27a45efa530c657f58fda9f3b9f4a

SHA1
6c0d29a8b75574e904ab1c39fc76b39ca8f8e461

SHA256
d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5

SHA512
0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
Filesize
325KB

MD5
0511abca39ed6d36fff86a8b6f2266cd

SHA1
bfe55ac898d7a570ec535328b6283a1cdfa33b00

SHA256
76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8

SHA512
6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE
Filesize
146KB

MD5
cdc455fa95578320bd27e0d89a7c9108

SHA1
60cde78a74e4943f349f1999be3b6fc3c19ab268

SHA256
d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9

SHA512
35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE
Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE
Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE
Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE
Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE
Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
fad620c645e82bf048f9d5caae4c48c3

SHA1
46515fa0f110d677c5fce80d807839f72c3e682a

SHA256
558c9bb919db4f1cda909488fa377fb3c964f76c5b3000241c0632a36dbf4d29

SHA512
31b954c31ae143c6023a3f0a942ead0a30544864ffac190ff0b4598013ebc2f4e7521541c11caf58f05f582444a25b0eb2f2413368511988a7cc5ad6bcad60f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bd76c8df0469b3f26be32f4c3832d138

SHA1
af3318997ecbb8510da4528ed3e0686897053b42

SHA256
77878d7ae94740fc15fcfec4dc37241bf46c8c4a63c80e8e2f8bbe11eac3e35c

SHA512
af9e44dbc28792b9c2fb6f8c343bfdaa1734e1b75a0e1e1c55fc66c7f267fba5efcc866026c7fc4b75b4431139a6a0bb56ab6f6f17d06c029b480145775edb35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
08456d419ef6ef05c6fd0689227e3c22

SHA1
fc38dff3cf2bf91ab6aa6d10a1e611e80863e2a4

SHA256
70a43c7230e680a02ae68168cb75822e315245ddc2e7167ef643d05ffda4f4e9

SHA512
d2bc6b8163156c1209e9a14017d460eaa433e4a61d27df5f58bf8ee6fc7dc984e297abbf1de7881fb911e1e620a9cdf046185f1f7681734970cf30fbc20830d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5ff3ab0d7d01f74e12b511c5d2ffe0b3

SHA1
666d390a166241ff45a267ae0856c229a8900b1e

SHA256
d4061432c34cbd75971889948679c584ff70daa51716f40b82436e9d8578db76

SHA512
11a6aa414a2dd390627bbcae5e1ae08cf498b7ab0bb6bfdec08c90ce6db768b169ed3a5869e1ec3d86b73fe802f8dff78199d1094f59cc91bb8d9e4071212116

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe
Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
10.5MB

MD5
6aeae5adb9e002026960800ad600e0a5

SHA1
89fb810ad66dc2cfd13b3f9fa9cb7a72da0ba096

SHA256
2fac1258e3f5755a6b63ffa1715ce3645b8ee7d5c224947e5f5fb144a57cb188

SHA512
6a21fb5ceff4ed3cba32f65d39b54ac7a8b1b3f68ed24e04ef4dc5cccbcb3f8892579378ec095d40514818d553de5f52e2d365f51f82befbca020d8b7bd9713f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
1.4MB

MD5
b37ec293e5bcb580d448da4965dffd54

SHA1
47b36a89cab289178f6d2ffd123ac0ca8431f0e8

SHA256
29556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e

SHA512
3358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371

Download Submit
C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\keygen[pc-ret].exe
Filesize
2.5MB

MD5
e72838eccda2eae29e96b0c572d783c3

SHA1
60f0944ecbd21cf590445c12ba89a2ae48f27a6a

SHA256
f824fdc666630ccb179d9086b79783e3ede76e4392a5edfdd20d93b7259ae061

SHA512
7439902a4f16d29dcc4c749adc40f4541d509e607d915287c6c98f609ef14c4eb99ec507d7e7c853527a6c08628a367b21ae0f066828c2cc8792f2c1a3fa77f8

Download Submit
C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\settings.ini
Filesize
714B

MD5
1f9cb933b93912b25a8ff421a6612b81

SHA1
68a30dfd2442853099986c023608062ec4a62a84

SHA256
3c51068457a9fc2157d74f8254d5f826d105d6d4facf08f29232dde17acfef23

SHA512
39d9ffdf18c037c1df850cd20aa61955738f0f0e252a62bc3dbc1791e92d25fc0c5017371bd0e3064fd1f98a5ded0c420c9bdfac7380ce82fa2d97fdbb708b2d

Download Submit
C:\Users\Admin\Desktop\NLBrute_1.2_64BIT_[svchost]\svchost.exe
Filesize
17.9MB

MD5
0dc5eec70a1c5d641f7e2ca2fdeb0c13

SHA1
045faba808f788827ac803ca23674703db202112

SHA256
042fb46c57a37d6e3a96aa82bc30e294ef04d43487ebfd80c81766d37c2a5fbe

SHA512
b8acbb5512a981aff7e05f7238c50880b601310910a6199afab7600bd365252da567f5414902d644c28920bfb07471f8579cc315f808ef8fc144019b69c175c3

Download Submit
C:\Users\Admin\Downloads\a-main.zip
Filesize
17.3MB

MD5
9df52648aeded88329b1cd0e55611835

SHA1
1f5ac375a4ab1f0eff4b51fcb24f01620cda9234

SHA256
0d53150b419caa8901d5f5fb606dcce5744d33f03574c451544f7fdcbc987040

SHA512
45952d7920993bd746bc23156a391d56e87f2960b9587c67888b32b944481a2c579b0ade0ababb2baee44b3646a6f78d69caee316b125ffffb1bd2db67a7bd23

Download Submit
C:\Windows\directx.sys
Filesize
92B

MD5
ead19e75b8604661fb9df19b209906b8

SHA1
74510de5bbd772ed236441067712a36ccaeaaa0d

SHA256
f94252dfe663a7b35ce930e922329d155f75e8e4ceba0990160c490ff41755d5

SHA512
33e3ce21a08a9b38c273983561714b7c0f47fc5bd1bcc886cbd0898d3e1df6cd4f8d9bf4bd46646154cbc6f645845eb18003c58718407aef5efed18c735ed163

Download Submit
C:\Windows\directx.sys
Filesize
45B

MD5
38b3a65d71c8929f89ecdc06cd80aa7a

SHA1
b31a9afcda8a708c7a94387e68b23858b2746464

SHA256
2213bf978e4b5da4423afe58494f226af48147dc3f4ac3229c17e7db5ab14157

SHA512
4dd639eaf9cefe990943c877ba0492d71f42196d81b9157e6d388fedef3ef8bb7234ab34f751174685686186a301cffc32e943fd51b92f049379cc512a78ec3c

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
5aae6eed2725711cb530c7c0257acd11

SHA1
3e85c96367e8191ddbcce93f887525eaf0c419fb

SHA256
ae5d75faa3f72b64011c854b392eef8977ccb2dbb8278ed7942d32361aa736d9

SHA512
b91ddf12d621b9f2d220bdd61a4484a1af6c59e3ecc3081c9f179acac94f0b81d3268cacac95844b4c0f0cdcae386bf573a7161b5a8b9eb9454320fa05c759db

Download Submit
C:\Windows\directx.sys
Filesize
49B

MD5
f97db2726bd4eaa69520e8e95cc789bc

SHA1
f07396416fad6c1314e20438927e36240f794204

SHA256
731419ed7fd838834a050ac2855a34f5f4b5422286c6a2dcd5c14a3029711d00

SHA512
0af0a907676dfa3ef4874d8769743121feb04f920a41935fde9a61c94bf94cb06f77bd9fbae84cb2cf999a9da7ef696070417910c2d0fed5bcd00dd0ff6c55fb

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\??\pipe\LOCAL\crashpad_1072_TRJKRJKQWDGEGIIJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1452-433-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-139-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/2064-250-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/2804-304-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-342-0x00000000741E0000-0x0000000074219000-memory.dmp

Filesize
228KB

Download
memory/2804-513-0x00000000749F0000-0x0000000074A29000-memory.dmp

Filesize
228KB

Download
memory/2804-419-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-351-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-418-0x0000000074F50000-0x0000000074F89000-memory.dmp

Filesize
228KB

Download
memory/2804-512-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-573-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-410-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-487-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-482-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2804-411-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2944-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3140-569-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-568-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-253-0x0000000000400000-0x00000000015F4000-memory.dmp

Filesize
18.0MB

Download
memory/4120-399-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4120-409-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4120-407-0x0000000074F50000-0x0000000074F89000-memory.dmp

Filesize
228KB

Download
memory/4292-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-496-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4428-470-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4428-479-0x0000000074F50000-0x0000000074F89000-memory.dmp

Filesize
228KB

Download
memory/4428-481-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4728-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4816-567-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4816-572-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4816-570-0x0000000074F50000-0x0000000074F89000-memory.dmp

Filesize
228KB

Download
memory/4868-478-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-477-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5596-514-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/5660-525-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5748-502-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5952-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download