neshta | c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-02-2022 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
Size

1.5MB
MD5

2fbb94d957f46cbf8fc41d864e754433
SHA1

ad19acfa0033a234a3a326f25fd10bf0c3cf58f8
SHA256

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782
SHA512

be4a043eb6725f00388bb0e23a24ce5ace24f8c491eb092085b3d92b0023b4fa2bd7f5c347d27841e0a4171b816d0a3a6df324e270fd0fa3496b49dab825f7ef

Score

10^/10

neshta evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exesvchost.com

pid process

1432 c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
1608 svchost.com

pid	process
1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
1608	svchost.com

Loads dropped DLL 4 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exesvchost.com

pid	process
1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
1608	svchost.com
1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
1608	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comc26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exec26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

Drops file in Windows directory 3 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

pid process

1432 c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

pid	process
1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exec26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exesvchost.com

description	pid	process	target process
PID 1284 wrote to memory of 1432	1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
PID 1284 wrote to memory of 1432	1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
PID 1284 wrote to memory of 1432	1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
PID 1284 wrote to memory of 1432	1284	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
PID 1432 wrote to memory of 1608	1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	svchost.com
PID 1432 wrote to memory of 1608	1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	svchost.com
PID 1432 wrote to memory of 1608	1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	svchost.com
PID 1432 wrote to memory of 1608	1432	c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe	svchost.com
PID 1608 wrote to memory of 1544	1608	svchost.com	READER~1.EXE
PID 1608 wrote to memory of 1544	1608	svchost.com	READER~1.EXE
PID 1608 wrote to memory of 1544	1608	svchost.com	READER~1.EXE
PID 1608 wrote to memory of 1544	1608	svchost.com	READER~1.EXE

C:\Users\Admin\AppData\Local\Temp\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
"C:\Users\Admin\AppData\Local\Temp\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\3582-490\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\READER~1.0\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1608

C:\PROGRA~2\Adobe\READER~1.0\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\READER~1.0\Reader\READER~1.EXE
4⤵
PID:1544

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
MD5
2142b0fff4fbaaaa52bb901730f4b58c

SHA1
8c139ed4e04bb6413200716f0567bf76262e3051

SHA256
da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54

SHA512
f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
MD5
7fc6761ca71bceb933fcfe06864aac5e

SHA1
40b2c8e82eec845ef471ae1f23bf5896cf0c1c9e

SHA256
b4d5b800b790653e9871caaac9cbca146fd45f3970fb3e87ded38cfe77c0f935

SHA512
a4564d46809f834c18ba2ca60d44eb78b4c76666346ae980e601343a9c026f5146ce55defb70feee88a85da9c7c067bce7e21e1e525392da3bd1f3ef6d38d350

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
MD5
cfaf70fd3030942d451ef8b1c36f8ee0

SHA1
5d35117280b1d9ecab86c7da513b0a05b3543dbe

SHA256
b32dea3f8e63d73e721505100c110ed32077fd5d3975668f7e930d6786620d16

SHA512
10ebf91807cd44554355e5fdb8c49356873f2830f0d0b88043e29094d4e70762b2b22df4a6ac16b6f147fba7f83a7024830a077b0ef2ca93577f2679ea36df2e

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
MD5
62070adb54d3d6be66cf523a2dabdc9d

SHA1
db079cf6656b3f743b4d5844fd292aab090a0f09

SHA256
352d8b4010e648b5839b25c3d97edad29741577b773c54a0de6fcc98f6186f37

SHA512
571d435555e5e4d8b0ec5c49377a190d2926616519408a475191b4b5b73da20dded3f2ddf15934ef66ffd4c1fb7c9a45d0eeeec761156038afa32dd5face1212

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
MD5
33ceda1b5b9818a0b660d914d0ab8e47

SHA1
13d82dfd30feae3f9cc3da3f703dbd53d584b119

SHA256
eda8c5136035e5c9dec23b3c28ee3a7cae8c401962424733072ae91a22f11685

SHA512
11f2d7d20705a4b7b23c20feb614c36f98c957de4ef7e58377734bee988c8920941cf7aa19f9a565f7541d1a4442fb7db9c2cbd871cbb5fe1352f91a89eccab4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
MD5
bfc074e73baee73462fbb9f70e31ad0f

SHA1
6ad2cc198e7b3120b64e816780d485b7f0f2ca71

SHA256
c6859ece0c3e40171304b1f19a38493aef38cebf8c698cc598a6328b921fcc93

SHA512
b05771dbb525066b953f6f0b8ae7b5d88919b579167207aec6476879b1aa5f2b2e36d3299d478c5cc2f221391594d424a36c300c891717aa37bf629900df8f93

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE
MD5
0226957440e97101750e5ac81b2dd689

SHA1
68568c7db607a0359dd1e7d364568bf4cd0ceb66

SHA256
e1cf22f15d35fd6e2777c1dd967d349989ca709cf73248cba3360a9a467804fa

SHA512
48d309d3908b2f4580c481ea4c6c510851fe8221a73edeb910640486494f87491c636f17063a45b224c41d055c95524018f511291bab79afa10df9c3771bae00

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
bbbc52b266a2df2d33cd62e05b06a303

SHA1
c70eaf76efdd8dc88268edbe4dd452018929e9d8

SHA256
966d26221d5db2da9e1ce829c69a7638b90121035b60909d98c303f0e5eea18f

SHA512
16029d960ad82b506e439b195da75912dc7f86cdf9607041f68f07deadb257666e04a509a1f0b4fbf79f2769099f1498980b47f3e39985f666febca977cf9f06

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
aabe51b57f6d1a36a32b68d7576b33a2

SHA1
e31ed5a3a0c765b382b68e03133a249763aa9c0c

SHA256
71642683c7937379d7da32e65a381f937d72f6bebcdc244d97c257a8b9e40702

SHA512
a443018838668fac151a5b8d192f8cb1f021a31a0eee40618b1dcbd45605677113dbdbd213d336112e96593694849b4a37de755886cc307afd77650eaf701d47

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
d3ca3ccdc18531cbff9660429647e1f4

SHA1
98dae898279c7163449d9c8306652d1bae2d2395

SHA256
9e5598811c6bb90658fb8a9d577d6272e53d0e63d4ce8aa933bb8067f4df263f

SHA512
0c9b9c565db89fff8fed234c4712b77ed0f451473178e3532e2abec246f490b63d3e73e6c58ea57d7910e2c8762d7bf7ab0e091e52b70b1667f744621a82ec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
MD5
4eb5d80cdb10e827692c029635f171a7

SHA1
46029f69ba21eea4d701d55480fee9b991f9c052

SHA256
5ded8a12139ad93d44491706f2f0124f532d0b43a136179604ae905e2d1ccb01

SHA512
051944536afbae0619ebe272e1b6379eab66ef3eedfd4f87dce4c22a6269e69a50523c445bbda7b7d2bc8aaa112d5704609731af87d51f2a15763d564575a464

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
C:\Windows\svchost.com
MD5
371c1e8a04fc1255cd38141e8d1c4e9d

SHA1
a08212115f726e91f5f82ecb0711fe68d392f1c7

SHA256
3109e6a23edb277172fab39ade7be67a2a1ffef6ae37a31e69cc4c5fc2ca62e3

SHA512
f969b3ab18d1bb4ac04e8136cdf89945335907fa6426c5190ea21d79817448592828652d5d32181c060f6562cae85688313a49e20f50f6e1120aa8a72da48966

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\c26d2845d2604bc24b29fa8e749db634676b1f81448c776f9c64791560730782.exe
MD5
4eb5d80cdb10e827692c029635f171a7

SHA1
46029f69ba21eea4d701d55480fee9b991f9c052

SHA256
5ded8a12139ad93d44491706f2f0124f532d0b43a136179604ae905e2d1ccb01

SHA512
051944536afbae0619ebe272e1b6379eab66ef3eedfd4f87dce4c22a6269e69a50523c445bbda7b7d2bc8aaa112d5704609731af87d51f2a15763d564575a464

Download Submit
memory/1284-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads