neshta | 838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3

Analysis

max time kernel
152s
max time network
140s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
Size

451KB
MD5

6de1e49036e9654914c333f39b17aa15
SHA1

f9647c886e99852ba0ee47fa6ea9b1ac42ce9239
SHA256

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3
SHA512

9791079dac388ed6225c4b6352dfe2090692359208f74a2950528bd1aba80aa3b6a88b7c882cfc787b8d29d77ca69d44d798075a4674152f350948312abfc054

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 42 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\misc.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\OIS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exesvchost.comsvchost.com

pid process

1720 838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
588 svchost.com
1076 svchost.com

pid	process
1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
588	svchost.com
1076	svchost.com

Loads dropped DLL 12 IoCs

Processes:

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exeregsvr32.exesvchost.com

pid	process
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
588	svchost.com
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

svchost.com838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File created	C:\Program Files (x86)\MediaPlayer\__tmp_rar_sfx_access_check_184720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\Program Files (x86)\MediaPlayer\hi_h264dec.dll	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\Program Files (x86)\MediaPlayer\StreamReader.dll	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\Program Files (x86)\MediaPlayer	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\Program Files (x86)\MediaPlayer\H264Play.dll	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File created	C:\Program Files (x86)\MediaPlayer\StreamReader.dll	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 19 IoCs

Processes:

regsvr32.exe838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.mp4	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\ = "H264 File Source"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76C90120-D6E9-4CDD-8163-466B950BB133}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.h264\Source Filter = "{D4DA6077-2239-4C9E-AE16-C78DD9F35631}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.mp4\Source Filter = "{D4DA6077-2239-4C9E-AE16-C78DD9F35631}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.h264	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\InprocServer32\ = "C:\\Program Files (x86)\\MediaPlayer\\MediaDecFilter.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76C90120-D6E9-4CDD-8163-466B950BB133}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76C90120-D6E9-4CDD-8163-466B950BB133}\ = "H264 File Source Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\CLSID = "{D4DA6077-2239-4C9E-AE16-C78DD9F35631}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76C90120-D6E9-4CDD-8163-466B950BB133}\InprocServer32\ = "C:\\Program Files (x86)\\MediaPlayer\\MediaDecFilter.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76C90120-D6E9-4CDD-8163-466B950BB133}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\FriendlyName = "H264 File Source"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D4DA6077-2239-4C9E-AE16-C78DD9F35631}\FilterData = 020000000000200001000000000000003070693308000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.execmd.exesvchost.comwmplayer.exesvchost.com

description	pid	process	target process
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1264 wrote to memory of 1720	1264	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 1720 wrote to memory of 768	1720	838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe	cmd.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 1548	768	cmd.exe	regsvr32.exe
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 768 wrote to memory of 588	768	cmd.exe	svchost.com
PID 588 wrote to memory of 996	588	svchost.com	wmplayer.exe
PID 588 wrote to memory of 996	588	svchost.com	wmplayer.exe
PID 588 wrote to memory of 996	588	svchost.com	wmplayer.exe
PID 588 wrote to memory of 996	588	svchost.com	wmplayer.exe
PID 996 wrote to memory of 1076	996	wmplayer.exe	svchost.com
PID 996 wrote to memory of 1076	996	wmplayer.exe	svchost.com
PID 996 wrote to memory of 1076	996	wmplayer.exe	svchost.com
PID 996 wrote to memory of 1076	996	wmplayer.exe	svchost.com
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe
PID 1076 wrote to memory of 1396	1076	svchost.com	setup_wm.exe

C:\Users\Admin\AppData\Local\Temp\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
"C:\Users\Admin\AppData\Local\Temp\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MediaPlayer\register.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s MediaDecFilter.ax
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1548

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\WI54FB~1\wmplayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:588

C:\PROGRA~2\WI54FB~1\wmplayer.exe
C:\PROGRA~2\WI54FB~1\wmplayer.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\WI54FB~1\setup_wm.exe" /RunOnce:C:\PROGRA~2\WI54FB~1\wmplayer.exe
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076

C:\PROGRA~2\WI54FB~1\setup_wm.exe
C:\PROGRA~2\WI54FB~1\setup_wm.exe /RunOnce:C:\PROGRA~2\WI54FB~1\wmplayer.exe
7⤵
PID:1396

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE
MD5
f562021a3a2e1a11351e0b6da28be149

SHA1
b591c3f6647b7d8ec0a45c7cddbd69eaf4d07e7e

SHA256
58abcadd2bff81ed5fd90e3b16f7339ca7bdae6b3058709ef72d5879da57618c

SHA512
802b396422608ec1f8c49c957af04d8a77b42ae6d37914257268ab0bc52fe841a10bae1fd53fd8d9d5b4165e133787833f6d6c38b28ac4c31f54eebdf527b1ef

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE
MD5
7ed0f5802e7fc1243b7c82862c5bf87c

SHA1
e16741b5050df662da25419da6cf80517fc2a46a

SHA256
3342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595

SHA512
a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE
MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE
MD5
71509f22e82a9f371295b0e6cf4a79bb

SHA1
c7eefb4b59f87e9a0086ea80962070afb68e1d27

SHA256
f9837240f5913bfa289ac2b5da2ba0ba24f60249d6f7e23db8a78bb10c3c7722

SHA512
3ea6347bbb1288335ac34ee7c3006af746ca9baccfbc688d85a5ca86b09d3e456047239c0859e8dd2cdc22d254897fccd0919f00826e9665fd735cfb7c1554e7

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe
MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE
MD5
4f8fc8dc93d8171d0980edc8ad833b12

SHA1
dc2493a4d3a7cb460baed69edec4a89365dc401f

SHA256
1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e

SHA512
bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE
MD5
56f047ff489e52768039ce7017bdc06e

SHA1
3f249d6a9e79c2706ed2e0e12f7e76ebd5e568fc

SHA256
62d6c979d708efe21c9618a18232fd2c74e85bb9560daa298025ab9af784202d

SHA512
a2eae7eae6548d325480560dcca83283a022f00f7d9bd19c0ae801a7acec133a33c5c5eb79432d47c8258d153cadea988217845d58eb4e8aa8070a068befe5e8

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE
MD5
06ac9f5e8fd5694c759dc59d8a34ee86

SHA1
a29068d521488a0b8e8fc75bc0a2d1778264596b

SHA256
ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d

SHA512
597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE
MD5
8acc19705a625e2d4fa8b65214d7070a

SHA1
ad16e49369c76c6826a18d136bf9618e8e99ec12

SHA256
3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

SHA512
92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE
MD5
33cb3cf0d9917a68f54802460cbbc452

SHA1
4f2e4447fabee92be16806f33983bb71e921792b

SHA256
1230b2032d2d35a55cd86d1215eb38fa18bcf590c3c19b9ac4dda5350c24e10a

SHA512
851f0a098020cb1da3f5f48febce3b9eaef3b885df9134b3fb6b364f3a7572a8c516456710a15f66f0a44eff59cfa50f2dc8bb5d274e5c093294b2ea96fd49cb

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE
MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE
MD5
c3ee902099b98a299b1a215aba1b27bb

SHA1
602b023806464db25f5f8e4ffc157cc7d7e9886b

SHA256
e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f

SHA512
3538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE
MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE
MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE
MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE
MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE
MD5
93766da984541820057ae0ab3d578928

SHA1
ea19a657c6b1b5eb5accc09c45dcf04f063151c3

SHA256
ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

SHA512
e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

Download Submit
C:\PROGRA~2\MICROS~1\Office14\misc.exe
MD5
02e02577a83a1856dc838f9e2f24e8d2

SHA1
2ab44e2072a3598fc7092b2ccb9aff3a2c5d4ced

SHA256
3b6ca9d9fcbb0c1677fe4caeef03e4db326f70166f030b5f9fa9f2856031d4fc

SHA512
a95d454a4f9e5271bc52e6c245c7840a92b8331b84260b2556432ac66dd07bec1b2c3dcf41282d6d8ae581a152f3147e75dc673ce0c7ecbb653dcc61bc1d1bd8

Download Submit
C:\Program Files (x86)\MediaPlayer\DllDeinterlace.dll
MD5
734654f3c6b732fad89fcc17f3816df1

SHA1
9c01926ebb01b5532d695791d0a93fddb0d19d36

SHA256
1616778babe6da0c0ceef10cbc7814a584299aaa01106b18c26f4e1f4da1dd74

SHA512
bb903eadfd37adfb4c9c0c19c26382d9b6e37a8cca469695c5b7e859b91c8f211be5f40a2df3d24a8fe9644541e6afbb891bfc08e634242415d5d563f4c97d7a

Download Submit
C:\Program Files (x86)\MediaPlayer\H264Play.dll
MD5
23843bfeb8843b8d858e47b77b2b3c93

SHA1
039d91bd47c2b46c6fb92735ee2c2cacf935b455

SHA256
0b1ec662062b3fae588706e82d07932239d04be218fbcb4d2995a1ee83858f00

SHA512
448ec6df8a7157a8bb2e7ddcad5ef2cb74f0a713b5889fd1ca7e31bd67380176228da79d43ae2b15c49e5419ca6c0e469d133035d853b51d426d241632a2fa8e

Download Submit
C:\Program Files (x86)\MediaPlayer\MediaDecFilter.ax
MD5
d94efc29c0f1af3e92ea638a97aacbfb

SHA1
e55082085fe91184a96c97de82918aaed7d4ec50

SHA256
576a2f1cd68fe2451f1e72569adcc30763c2f17f2ae36c733fface95947119ac

SHA512
5aa5763d80c321f6b75d85d748c96f600fe827a2a9e7b7c2bbc648eeb7981229a5add47b0f16e75ab2952b9ea73ef0c1bf601854b3b671e11f19ee83f373e790

Download Submit
C:\Program Files (x86)\MediaPlayer\StreamReader.dll
MD5
309f2be26196ba2b728d11ae02aec796

SHA1
e6d2383405c1c5786d32d343834c47fe9e5a73d8

SHA256
6460159348372c318b51f8568cff04c92df38c8bb2fcfc447061e6fcfd74b523

SHA512
8b88f74ddbae95b1cf3462d440be2d7293d54c40164f85f224219d92bea580fec2e2cad50c993e25ff2a09f2cb41fc28ac2324a6613b1a34d1f45194c2cb3331

Download Submit
C:\Program Files (x86)\MediaPlayer\register.bat
MD5
fe50f67e4428d0cde389bba153956fdd

SHA1
0c9d717f4836897d90338e8a2b11b4abda291577

SHA256
c062062b37395f135bfcc3881f3d70454bd8b8cecabf5ad678aa6daea482daa7

SHA512
9fbe7f3afd8cf775596146513c8c226e23fee5603527f853e47e8eb5ff2d34e6626bec85a94f698c474b2762caad8c0f15d6c7df861b0f1ede5b0e47617d3641

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
dc43143ce3bd88603203392c6e7fe83f

SHA1
f5740d59b33fa4620486e4a787baf1aeb1e2d32f

SHA256
697d144ec9d52910a873c9681679fc8663646f86a09cea115bc2ceb04dc46b83

SHA512
f112c7a816e5f49df94987ebfe4d473c3f8a28e87e5ebdf1cc13606d332be8ff73c069b64df71b3ba23120efb69b6b5dfa3cfb0e56ec76e34fa906ca431469a8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
a49eb5f2ad98fffade88c1d337854f89

SHA1
2cc197bcf3625751f7e714ac1caf8e554d0be3b1

SHA256
99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

SHA512
4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
MD5
09dc7150ded0b6d8ad0568cfb74e9af7

SHA1
134e51cd5261c43bdbc5e2a9ed778d10ca3bf844

SHA256
62b58074a8939666e2ffa5739ffb1ccd8a195628e56e28d8680a27a2b47109d1

SHA512
bd7976417ad2257d117064b89565a5b7e0be64814dc4a9edf680a8f56cd754b14e6200f253619beee1b503bdeccc108c4e5c582dbc448cdc92ec7d7850e38c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
MD5
09dc7150ded0b6d8ad0568cfb74e9af7

SHA1
134e51cd5261c43bdbc5e2a9ed778d10ca3bf844

SHA256
62b58074a8939666e2ffa5739ffb1ccd8a195628e56e28d8680a27a2b47109d1

SHA512
bd7976417ad2257d117064b89565a5b7e0be64814dc4a9edf680a8f56cd754b14e6200f253619beee1b503bdeccc108c4e5c582dbc448cdc92ec7d7850e38c6c

Download Submit
C:\Windows\directx.sys
MD5
5c274313169f372e49fc7483a31ca20b

SHA1
c16047de3c5c83d4327acc614ce85cf7fd06f864

SHA256
1e0cb9aec87c0d209d81354424c655870af2ed20064c9eab79db43e90b6c225a

SHA512
1c1957e57f59e09287d11e62ac953da960558f0ecdede424417b5a40d81e78a43357810d21c5d0d120ad01860de7c8ddc412cf53772084fe5529efc9dd8abf9e

Download Submit
C:\Windows\svchost.com
MD5
bc93f4f527b58419ef42f19db49f64a8

SHA1
2650a73b61577cfc0c0d80a7f38103d65388d808

SHA256
d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

SHA512
4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

Download Submit
C:\Windows\svchost.com
MD5
bc93f4f527b58419ef42f19db49f64a8

SHA1
2650a73b61577cfc0c0d80a7f38103d65388d808

SHA256
d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

SHA512
4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

Download Submit
C:\Windows\svchost.com
MD5
bc93f4f527b58419ef42f19db49f64a8

SHA1
2650a73b61577cfc0c0d80a7f38103d65388d808

SHA256
d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

SHA512
4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE
MD5
685db5d235444f435b5b47a5551e0204

SHA1
99689188f71829cc9c4542761a62ee4946c031ff

SHA256
fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

SHA512
a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

Download Submit
\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
\PROGRA~2\MICROS~1\Office14\OIS.EXE
MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
\PROGRA~2\MICROS~1\Office14\PPTICO.EXE
MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
\Program Files (x86)\MediaPlayer\DllDeinterlace.dll
MD5
734654f3c6b732fad89fcc17f3816df1

SHA1
9c01926ebb01b5532d695791d0a93fddb0d19d36

SHA256
1616778babe6da0c0ceef10cbc7814a584299aaa01106b18c26f4e1f4da1dd74

SHA512
bb903eadfd37adfb4c9c0c19c26382d9b6e37a8cca469695c5b7e859b91c8f211be5f40a2df3d24a8fe9644541e6afbb891bfc08e634242415d5d563f4c97d7a

Download Submit
\Program Files (x86)\MediaPlayer\H264Play.dll
MD5
23843bfeb8843b8d858e47b77b2b3c93

SHA1
039d91bd47c2b46c6fb92735ee2c2cacf935b455

SHA256
0b1ec662062b3fae588706e82d07932239d04be218fbcb4d2995a1ee83858f00

SHA512
448ec6df8a7157a8bb2e7ddcad5ef2cb74f0a713b5889fd1ca7e31bd67380176228da79d43ae2b15c49e5419ca6c0e469d133035d853b51d426d241632a2fa8e

Download Submit
\Program Files (x86)\MediaPlayer\MediaDecFilter.ax
MD5
d94efc29c0f1af3e92ea638a97aacbfb

SHA1
e55082085fe91184a96c97de82918aaed7d4ec50

SHA256
576a2f1cd68fe2451f1e72569adcc30763c2f17f2ae36c733fface95947119ac

SHA512
5aa5763d80c321f6b75d85d748c96f600fe827a2a9e7b7c2bbc648eeb7981229a5add47b0f16e75ab2952b9ea73ef0c1bf601854b3b671e11f19ee83f373e790

Download Submit
\Program Files (x86)\MediaPlayer\StreamReader.dll
MD5
309f2be26196ba2b728d11ae02aec796

SHA1
e6d2383405c1c5786d32d343834c47fe9e5a73d8

SHA256
6460159348372c318b51f8568cff04c92df38c8bb2fcfc447061e6fcfd74b523

SHA512
8b88f74ddbae95b1cf3462d440be2d7293d54c40164f85f224219d92bea580fec2e2cad50c993e25ff2a09f2cb41fc28ac2324a6613b1a34d1f45194c2cb3331

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
MD5
09dc7150ded0b6d8ad0568cfb74e9af7

SHA1
134e51cd5261c43bdbc5e2a9ed778d10ca3bf844

SHA256
62b58074a8939666e2ffa5739ffb1ccd8a195628e56e28d8680a27a2b47109d1

SHA512
bd7976417ad2257d117064b89565a5b7e0be64814dc4a9edf680a8f56cd754b14e6200f253619beee1b503bdeccc108c4e5c582dbc448cdc92ec7d7850e38c6c

Download Submit
memory/1264-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1548-71-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/1548-66-0x00000000002E0000-0x0000000000387000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads