neshta | cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8

Analysis

max time kernel
114s
max time network
143s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-07-2022 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6410f4bc5d7a56d4af850984b05b149a.exe
Size

893KB
MD5

6410f4bc5d7a56d4af850984b05b149a
SHA1

07b105db29418af54a19426d7bd9959a16ad0575
SHA256

cd6a8e6b17a1ecb5aafb24ef4f7ec0ba0be44508ea10dbde551e0037220571f8
SHA512

fc0ab672676b206eb7eafd882fd5d56e3d0a64b6dad0862624fe34fb9085a1b59a67958c4d8cebc0154b940440ead70b6072658e7dac08b011c8124c4d3aa4c3

Score

10^/10

neshta redline ch discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

34.174.95.150:54865

Signatures

Detect Neshta Payload 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-60-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
behavioral1/memory/1616-79-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
behavioral1/memory/1892-100-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1616-105-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1892-113-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1616-111-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

6410f4bc5d7a56d4af850984b05b149a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6410f4bc5d7a56d4af850984b05b149a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe	family_redline
\Users\Admin\AppData\Local\Temp\JQZEKD.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe	family_redline
behavioral1/memory/1428-75-0x0000000000210000-0x000000000022E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exesvchost.comJQZEKD.exeWinapdate.exeWinapdate.exe

pid process

908 6410f4bc5d7a56d4af850984b05b149a.exe
1616 svchost.com
1428 JQZEKD.exe
1716 Winapdate.exe
1532 Winapdate.exe

pid	process
908	6410f4bc5d7a56d4af850984b05b149a.exe
1616	svchost.com
1428	JQZEKD.exe
1716	Winapdate.exe
1532	Winapdate.exe

Drops startup file 1 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DVNVGA.lnk	6410f4bc5d7a56d4af850984b05b149a.exe

Loads dropped DLL 7 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exesvchost.com

pid	process
1892	6410f4bc5d7a56d4af850984b05b149a.exe
1616	svchost.com
1892	6410f4bc5d7a56d4af850984b05b149a.exe
1892	6410f4bc5d7a56d4af850984b05b149a.exe
1616	svchost.com
1616	svchost.com
1892	6410f4bc5d7a56d4af850984b05b149a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/908-62-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/908-101-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/1716-109-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/1716-110-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral1/memory/1532-117-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Drops file in Program Files directory 64 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	6410f4bc5d7a56d4af850984b05b149a.exe

Drops file in Windows directory 3 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	6410f4bc5d7a56d4af850984b05b149a.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1564 schtasks.exe

pid	process
1564	schtasks.exe

Modifies registry class 1 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6410f4bc5d7a56d4af850984b05b149a.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exeJQZEKD.exe

pid process

908 6410f4bc5d7a56d4af850984b05b149a.exe
1428 JQZEKD.exe
1428 JQZEKD.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exe

pid process

908 6410f4bc5d7a56d4af850984b05b149a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JQZEKD.exe

description pid process

Token: SeDebugPrivilege 1428 JQZEKD.exe

pid	process
908	6410f4bc5d7a56d4af850984b05b149a.exe
1428	JQZEKD.exe
1428	JQZEKD.exe

pid	process
908	6410f4bc5d7a56d4af850984b05b149a.exe

description	pid	process
Token: SeDebugPrivilege	1428	JQZEKD.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6410f4bc5d7a56d4af850984b05b149a.exe6410f4bc5d7a56d4af850984b05b149a.exesvchost.comcmd.exetaskeng.exe

description	pid	process	target process
PID 1892 wrote to memory of 908	1892	6410f4bc5d7a56d4af850984b05b149a.exe	6410f4bc5d7a56d4af850984b05b149a.exe
PID 1892 wrote to memory of 908	1892	6410f4bc5d7a56d4af850984b05b149a.exe	6410f4bc5d7a56d4af850984b05b149a.exe
PID 1892 wrote to memory of 908	1892	6410f4bc5d7a56d4af850984b05b149a.exe	6410f4bc5d7a56d4af850984b05b149a.exe
PID 1892 wrote to memory of 908	1892	6410f4bc5d7a56d4af850984b05b149a.exe	6410f4bc5d7a56d4af850984b05b149a.exe
PID 908 wrote to memory of 1616	908	6410f4bc5d7a56d4af850984b05b149a.exe	svchost.com
PID 908 wrote to memory of 1616	908	6410f4bc5d7a56d4af850984b05b149a.exe	svchost.com
PID 908 wrote to memory of 1616	908	6410f4bc5d7a56d4af850984b05b149a.exe	svchost.com
PID 908 wrote to memory of 1616	908	6410f4bc5d7a56d4af850984b05b149a.exe	svchost.com
PID 1616 wrote to memory of 1428	1616	svchost.com	JQZEKD.exe
PID 1616 wrote to memory of 1428	1616	svchost.com	JQZEKD.exe
PID 1616 wrote to memory of 1428	1616	svchost.com	JQZEKD.exe
PID 1616 wrote to memory of 1428	1616	svchost.com	JQZEKD.exe
PID 908 wrote to memory of 552	908	6410f4bc5d7a56d4af850984b05b149a.exe	cmd.exe
PID 908 wrote to memory of 552	908	6410f4bc5d7a56d4af850984b05b149a.exe	cmd.exe
PID 908 wrote to memory of 552	908	6410f4bc5d7a56d4af850984b05b149a.exe	cmd.exe
PID 908 wrote to memory of 552	908	6410f4bc5d7a56d4af850984b05b149a.exe	cmd.exe
PID 552 wrote to memory of 1564	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1564	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1564	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1564	552	cmd.exe	schtasks.exe
PID 1964 wrote to memory of 1716	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1716	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1716	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1716	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1532	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1532	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1532	1964	taskeng.exe	Winapdate.exe
PID 1964 wrote to memory of 1532	1964	taskeng.exe	Winapdate.exe

C:\Users\Admin\AppData\Local\Temp\6410f4bc5d7a56d4af850984b05b149a.exe
"C:\Users\Admin\AppData\Local\Temp\6410f4bc5d7a56d4af850984b05b149a.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\3582-490\6410f4bc5d7a56d4af850984b05b149a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6410f4bc5d7a56d4af850984b05b149a.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe
C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn DVNVGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe /sc minute /mo 1
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn DVNVGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\taskeng.exe
taskeng.exe {1CFF2AFD-BB80-406B-9F78-34C29162CBDD} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
2⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
9306f2a522a57b846007a08f1ca66f03

SHA1
df4ba0ea9393304bce52879d4b9344a0f1277d20

SHA256
0b3954c2f43c8c55e3d23bc7c97acf57022b9ced4360fe7d8660e77a1fbb3372

SHA512
dfc6336d1115a7337905341d0579700df3f821d4be340faa603a30668152e061818628e7544a2f0b4767c40baffe37554d040644dfd0d1da8ef3de0e25dd171b

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
e0f2257e0ad4b04429c932673ead4884

SHA1
352fcc1fe1019cd069ab52b409b31bbd0a08ea9a

SHA256
6e11a49479c1d2b35f15901b0700e307712338f343e1c03fcfe715946fab5969

SHA512
d77e790e63b1b2307df2ef0bb774bcbfa5cdc716764050dfa055a23449cffa5c6f61759b0819712f3e3be06037cbc3469082ba2b02af990017f28658f0103763

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
05137767de39f2bb28b365b2238f32e1

SHA1
5e62f303be2d32f16da8ebe555eb80491f7c0efb

SHA256
ca65573ff40bd61e73cf21f24a122de99e5face2ce75a2e0753f93e10cf6495b

SHA512
9f29611adeac506c6db62a47d82fe5891688cfffc7217ad1dd076fc88e54ea4b9291974b168922245f6c8e302f4e03a273bf0ac9942ac4d1cf6c5a6099b9f0be

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
98359abd5f26fc75169bafd6edcf00cd

SHA1
c0bdcc5b5f48c72275f84d6166a42519cc5f2028

SHA256
958bf8d76d4de0bbba6aadea0c4aff0ec7be9cc69ab9fa61cd29dcecbf3528fa

SHA512
573e374866e93b14cec6b5192ba45529a89c140d023ec0e471bad563fd6893cbef2a2fb0b106732f40fd4a2629869c8074b991539b05ade3d38f32aa26751fe2

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
Filesize
381KB

MD5
155ddabff4b588dc081291f97214f8be

SHA1
5fe2febbd1e5b80c8d19c67aec26f49f2a1113ae

SHA256
9ce4515a150137df2238f91e6773f4e21633b8cb8850d5ff99789dddbc66ecd0

SHA512
f1b9df7bc1c9f28dcb2cb02bfc4378a99e70f221a4ef325159288d809ebbbb6ff4e6f1a1b26bd8fa455439061d42a616121c2b0fb9d547763f5434ee327189d1

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
Filesize
140KB

MD5
6ba35ec07ef4911434e11d1e959a72f9

SHA1
35516a9abc173ce4cfb7989e2cc2223ac6d774e7

SHA256
7f1d8b98a9934065efd42ff4c369e06c07c239218db75f4778cb4d1fe9920071

SHA512
3f157a3fa3f238abdc32312f109f7315f415b7119cc4c0462074e5f38053ae9c248f4ac60d114dc4b79b217d9b34bb23a4bb4bcc0c76af1c963929be578b74af

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
Filesize
899KB

MD5
b84faed0c9e75f93306cc48a90f608bc

SHA1
655881cac8213d11267a93b1bb2968e77ab2ddcf

SHA256
a6715e4c05fa396169ab6c3ab76835b6a9890439cbe30a2894aebfd940bb41b6

SHA512
22f6cb5c9fe8d022a9b3d811d7b59c4505802fdb8ad0bac83832627e74b02ea8a893b6fb1664afac36c4d88e47b7aacbfadf43c3ab234f902bf3ecc98f09480d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
Filesize
217KB

MD5
6a8ca93a4395e800e10a0804b38f66f7

SHA1
435a3e5978b057601fbcdf160d1a7677038c5aa8

SHA256
c3fb470259507741e479a6be5241fedf3736ba3fb8943059f599e348c3b9fbd4

SHA512
ccb3139c4ce4002c2fa781cbde368efe884d508e1d73d1f672bb73aab906f86b7f3b000a45380fcd5ede8bf7c78544f2d124b7dc8e356854275edc55f54aa7c9

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
c25581f2d043d4a74f82dbf3a4406bb5

SHA1
8d22de5d87fee4e1b372e0ad0b14e942ce5ff776

SHA256
23156554888470c52b73c360e232a5e020f77697e56b2a97004936c63c5d06f4

SHA512
70746ff9cb25eb26fc8991e9519a880cec86866a51e4ecd0fdbea5b362acaf06233514e972e37bac5c27636ffc4b34b38d7702449f266e8a796f54ec0fa2c579

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
674KB

MD5
5cda6f3c41f3370ad8a43b9690d261e8

SHA1
27b58bb478117a580ec9b3488fdd6626273e24c3

SHA256
67ed6edaadf8f5a2b72b19319803c226313c7491f21ef0cc3bd8dbdace2dc67d

SHA512
01e3052ceb05ad0684121f11ce19be53dd44f42f384c6b9d67508ea6eb302f33d694f2b1d7f501ed62c72a2f84d7f579442493e4c9bc2611d6c3d619c761b917

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
715KB

MD5
6b82bd5a01751e777487eb2dc7ca334d

SHA1
9cf5d06a59b300c54126365207d6699abd984cdd

SHA256
32bd6e4fe6994223a8e7b70648b2b1b3244f85f7b39036681917cd96ba33d885

SHA512
fe8359b72fef0e85bdeaeb69fda7c5ee6be3457b9dda93eead4ed1d8116165d75b4af7090d123d2ee9d3a08ca35b8d4c5dbf26e7e889cbce6fb24fc68f7d3e90

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
54c125d0c9164404e835761e007c3ee9

SHA1
c8b5cbd0fffe547863d31ae7ace346906a2ecc9d

SHA256
846d27eced684797b7bb0a2491a392f5912047e0352ee177cbddc517a4f1e59b

SHA512
47bd217246f2a999865687ee427e97834bf6a688566da4e87d78d5f2f5488e6fe61f1a5587442b1bc413c92966ecfe779700098373afa6e76f044164466ba0be

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
86e6e49fb5f5f1270210c74a41bacaa3

SHA1
2bb13c80c51dcfb69a8ddab3db45fbaedae870a0

SHA256
95359bd7221f613cc91b35c61c47858194bf153c4a8fcae3e5b767155c0e0693

SHA512
05f6bc19106f2beb7ff2ef630c469051e779b8cc159485f6e8c00229bb365b36e8bf6c8ce6e827192c4b4a6b7bf31ae9c2244405d4e00aa7d14e8e4c31474f55

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
e7a986196d31d84b78cc38e28e5faafb

SHA1
06e4310b059cdd6408ac4412cfe867c8ce8f1532

SHA256
50e6733d2e56e63025fe7cbbf023989e44e4d530d1f18813179a1f911000434f

SHA512
28fa1d93c0204b8a46ca9ee29d2856fbf147479fce329c8be01e5238bc96c6ac2cfa4a24568e34f77992922bcfb63e2c7435ecaf7aa989c4ea53c201882dc292

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6410f4bc5d7a56d4af850984b05b149a.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6410f4bc5d7a56d4af850984b05b149a.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe
Filesize
95KB

MD5
d877084a8dfac263311f160627966553

SHA1
83e83a6efd55c6e93ac3802b384a3273a62c541c

SHA256
50e2444e832e4c3ed711fcf27c038967c2c5f5037a4e0ea2cc6d53ef6ac54cfb

SHA512
99aca3e887d449edebec23078b747304bda9eebe05fb006aeba3e101fd1e1dcabdb5b52ebe72ec976f5598de6396c454c245f711ff5dd5aabc4d9deda4ac132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQZEKD.exe
Filesize
95KB

MD5
d877084a8dfac263311f160627966553

SHA1
83e83a6efd55c6e93ac3802b384a3273a62c541c

SHA256
50e2444e832e4c3ed711fcf27c038967c2c5f5037a4e0ea2cc6d53ef6ac54cfb

SHA512
99aca3e887d449edebec23078b747304bda9eebe05fb006aeba3e101fd1e1dcabdb5b52ebe72ec976f5598de6396c454c245f711ff5dd5aabc4d9deda4ac132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
8B

MD5
ccbd6dbf724e4a6b759734ea532938f8

SHA1
1c9ea336f0e571585fdf7a9290b8d7c464aa1721

SHA256
6fbc13cfb1f02d554f388922c2841d3c94763292e3d9b5af7037e06028c867db

SHA512
00972c6fe3e61104fb4d3293b29050daf85c5a2727bf938ab29dcd000213bcc85c34d9d60db809c8f9e284f4cd2e2385887e22800ea945285acb439c619b1554

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\WINAPD~1.EXE
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
ef9a5c94e2a1773d86f27f059b5fe171

SHA1
baaa99352dc805ef41910aeda652f2cc99109ae4

SHA256
8f60ddfdd377b93ce1568508678857a8dc52da96cc4aeafc327695745cdd19b9

SHA512
bd14a8756693d88830705ad3d1b73b4feced7496e2b9dae68096ce625bfcc36e59372d7309abbd57316147799ea891545d2dc07e79a217811de06798a526685c

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
ef9a5c94e2a1773d86f27f059b5fe171

SHA1
baaa99352dc805ef41910aeda652f2cc99109ae4

SHA256
8f60ddfdd377b93ce1568508678857a8dc52da96cc4aeafc327695745cdd19b9

SHA512
bd14a8756693d88830705ad3d1b73b4feced7496e2b9dae68096ce625bfcc36e59372d7309abbd57316147799ea891545d2dc07e79a217811de06798a526685c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
Filesize
381KB

MD5
155ddabff4b588dc081291f97214f8be

SHA1
5fe2febbd1e5b80c8d19c67aec26f49f2a1113ae

SHA256
9ce4515a150137df2238f91e6773f4e21633b8cb8850d5ff99789dddbc66ecd0

SHA512
f1b9df7bc1c9f28dcb2cb02bfc4378a99e70f221a4ef325159288d809ebbbb6ff4e6f1a1b26bd8fa455439061d42a616121c2b0fb9d547763f5434ee327189d1

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\6410f4bc5d7a56d4af850984b05b149a.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
\Users\Admin\AppData\Local\Temp\JQZEKD.exe
Filesize
95KB

MD5
d877084a8dfac263311f160627966553

SHA1
83e83a6efd55c6e93ac3802b384a3273a62c541c

SHA256
50e2444e832e4c3ed711fcf27c038967c2c5f5037a4e0ea2cc6d53ef6ac54cfb

SHA512
99aca3e887d449edebec23078b747304bda9eebe05fb006aeba3e101fd1e1dcabdb5b52ebe72ec976f5598de6396c454c245f711ff5dd5aabc4d9deda4ac132c

Download Submit
\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
\Users\Admin\AppData\Roaming\Windata\Winapdate.exe
Filesize
853KB

MD5
6edd0d0093eceb0c664d8d2d056dfc37

SHA1
d90eb85f7a1808bcd2e5d16f07f3a1a3d0671511

SHA256
78d88a6ac29625636a7433e358459a8cdfb837c853f6a149ceea102e707997f3

SHA512
ba265d94d004060d5cece24e3482fe6bc8ed6687534d66bc71102e6070a7482ed47941e3c1a5414f4b80577b0c955e70eec7ecc708e1aaf51983fe94bb6a84a4

Download Submit
memory/552-80-0x0000000000000000-mapping.dmp

Download
memory/908-77-0x00000000032E0000-0x000000000330B000-memory.dmp

Filesize
172KB

Download
memory/908-102-0x00000000032E0000-0x000000000330B000-memory.dmp

Filesize
172KB

Download
memory/908-56-0x0000000000000000-mapping.dmp

Download
memory/908-104-0x00000000032F0000-0x000000000331B000-memory.dmp

Filesize
172KB

Download
memory/908-103-0x00000000032E0000-0x000000000330B000-memory.dmp

Filesize
172KB

Download
memory/908-78-0x00000000032F0000-0x000000000331B000-memory.dmp

Filesize
172KB

Download
memory/908-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/908-76-0x00000000032E0000-0x000000000330B000-memory.dmp

Filesize
172KB

Download
memory/908-101-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1428-75-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/1428-69-0x0000000000000000-mapping.dmp

Download
memory/1532-117-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-114-0x0000000000000000-mapping.dmp

Download
memory/1564-81-0x0000000000000000-mapping.dmp

Download
memory/1616-64-0x0000000000000000-mapping.dmp

Download
memory/1616-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1616-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1616-111-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1716-110-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1716-107-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1892-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1892-113-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-90-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/1892-106-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/1892-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-100-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-61-0x0000000002600000-0x00000000026B5000-memory.dmp

Filesize
724KB

Download