neshta | a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Size

261KB
MD5

0063bb0a460508738af4af2f11fdf880
SHA1

9b3a753a220d631c3333fefcf63ef8ffe8b29edd
SHA256

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514
SHA512

0c82c75d4f1def4deaa6ff8ef3fc44b217070b4daa616999f06928c2678fb95f04a4a4119148fa4408ad5d25b2d9b8d9df9af85787cac4504b9472a1db6e78e6
SSDEEP

6144:k9Lrgq6hbWjq/zbu6OKdCQ3mkxxNc56ud8csg06n21XDalEdi:SrCNvoB2zudA/GWdi

Score

10^/10

neshta adware persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 35 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.com

pid process

1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
564 svchost.com

Loads dropped DLL 10 IoCs

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.comregasm.exe

pid	process
2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
564	svchost.com
2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1088	regasm.exe
1088	regasm.exe
1088	regasm.exe
1088	regasm.exe
2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regasm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{40aef60b-a6f8-4389-9003-a683dd75b850}	regasm.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.coma91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.coma91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 23 IoCs

Processes:

regasm.exea91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\Class = "ie2.BHO"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\Assembly = "ie2, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8e4675c62620fdea"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\Implemented Categories	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\ = "ie2.BHO"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\Assembly = "ie2, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8e4675c62620fdea"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Roaming/Founder Systems/ie2.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ProgId	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ = "ie2.BHO"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\ProgId\ = "Internet Helper"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Roaming/Founder Systems/ie2.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\InprocServer32\1.0.0.0\Class = "ie2.BHO"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\CLSID\ = "{40AEF60B-A6F8-4389-9003-A683DD75B850}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40AEF60B-A6F8-4389-9003-A683DD75B850}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Internet Helper\CLSID	regasm.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

pid	process
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description pid process

Token: SeDebugPrivilege 1296 a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

description	pid	process
Token: SeDebugPrivilege	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exea91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exesvchost.com

description	pid	process	target process
PID 2016 wrote to memory of 1296	2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
PID 2016 wrote to memory of 1296	2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
PID 2016 wrote to memory of 1296	2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
PID 2016 wrote to memory of 1296	2016	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
PID 1296 wrote to memory of 564	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	svchost.com
PID 1296 wrote to memory of 564	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	svchost.com
PID 1296 wrote to memory of 564	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	svchost.com
PID 1296 wrote to memory of 564	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	svchost.com
PID 564 wrote to memory of 1476	564	svchost.com	cacls.exe
PID 564 wrote to memory of 1476	564	svchost.com	cacls.exe
PID 564 wrote to memory of 1476	564	svchost.com	cacls.exe
PID 564 wrote to memory of 1476	564	svchost.com	cacls.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe
PID 1296 wrote to memory of 1088	1296	a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
"C:\Users\Admin\AppData\Local\Temp\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /silent /codebase "C:\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cacls.exe" C:\Windows\System32\GroupPolicy /t /e /g Everyone:f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g Everyone:f
4⤵
PID:1476

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
Filesize
610KB

MD5
41b87061bb3a2ffc31e3f74b3d575328

SHA1
579039f93ea8dd62986253f0d9f3ed3cc0e6deec

SHA256
3a36c66c1aa202ce5d2bdf617d4dae08774faf51ed51020391d06347c9f56b14

SHA512
54284e62251317d24cad368425786b0a63dbce8a978c1713ef00e1c0d78eea00d98b3c8a6acb9c868f326e4e331583282e402e5f829a3426f12ce49444e9268a

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
178KB

MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
Filesize
292KB

MD5
a6e53bba7581f77c0a0624b82caff875

SHA1
a53cce0d23e2cae98a15c67791cf573faecb7b94

SHA256
c8c9eebf6dadaa6d433bec14a9b9aa521b3b7ecdd74df542aa2cee9cd5f0725b

SHA512
8a1b5f6b47186611dcfc3ed8b84a76c4d0a099ae24bfdb906b128f1f288a92cacfaf36610579fe26743c2943615f89954bb23937f88e744c6af53eda74e8f92e

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
Filesize
109KB

MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE
Filesize
741KB

MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE
Filesize
392KB

MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE
Filesize
726KB

MD5
c3ee902099b98a299b1a215aba1b27bb

SHA1
602b023806464db25f5f8e4ffc157cc7d7e9886b

SHA256
e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f

SHA512
3538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE
Filesize
144KB

MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE
Filesize
127KB

MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
Filesize
308KB

MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE
Filesize
1.6MB

MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE
Filesize
262KB

MD5
2d1b4a44f1f9046d9d28e7e70253b31d

SHA1
6ab152d17c2e8a169956f3a61ea13460d495d55e

SHA256
d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

SHA512
dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE
Filesize
549KB

MD5
61631e66dbe2694a93e5dc936dd273be

SHA1
b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

SHA256
5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

SHA512
323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE
Filesize
1.4MB

MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
Filesize
1.8MB

MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
bcb5db16e576464d3d8d93e1907bf946

SHA1
b10f3c3dc4baef4655ae2c30543be9d3c40b9781

SHA256
24c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0

SHA512
c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
3c86c25a76c1413747ae8851bead4bac

SHA1
9342be761a661f51d85fd49fa9b75818aa0c4851

SHA256
b7ff698e4395c9e682027bc710a529139dcc602d97e374fc294bcf5198073493

SHA512
e70376561100d6a4769bc91e4daa3c224ed39f8412391a5ee9b9cae83d08dd2229a25f9099f5336810a757d95b6e81faa30608f35d8761b1c4cc0f41313cb43f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
bcb5db16e576464d3d8d93e1907bf946

SHA1
b10f3c3dc4baef4655ae2c30543be9d3c40b9781

SHA256
24c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0

SHA512
c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
72f0402b1b4c9d952e3d1163a6e7d9c6

SHA1
948951f556fc1717617aa9b652a10b4d03823f23

SHA256
51b384d4ffbaba25d64e832a8744eca9b1dc633ff05176bda8a506cbc3ede4d1

SHA512
99bba188b9bb431be82200325c0d2d1167b82d360902b279e26d21e47c1c1365ae274439171662fc3532915fb54354c0a0b89a0b303e433dad9d4e7c3f32b2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Filesize
221KB

MD5
78fd3c836cedce62224ddde7915a8bef

SHA1
f7048bbcb528f1370dd1b492e4f03c0d815b4ef4

SHA256
b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b

SHA512
ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Filesize
221KB

MD5
78fd3c836cedce62224ddde7915a8bef

SHA1
f7048bbcb528f1370dd1b492e4f03c0d815b4ef4

SHA256
b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b

SHA512
ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1

Download Submit
C:\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll
Filesize
17KB

MD5
08ce6457e0dad32ec2b95b85d8d12768

SHA1
b51ec32c5bbdfbd5b154f2d83a168e41f1691025

SHA256
1441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140

SHA512
f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE
Filesize
1.6MB

MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE
Filesize
549KB

MD5
61631e66dbe2694a93e5dc936dd273be

SHA1
b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

SHA256
5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

SHA512
323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a91e0748bb3c181f28348d4bdd05d7791d3dc3ecd08948d327214ca98317f514.exe
Filesize
221KB

MD5
78fd3c836cedce62224ddde7915a8bef

SHA1
f7048bbcb528f1370dd1b492e4f03c0d815b4ef4

SHA256
b0e03deeb9c303b1ec3725db1a8b6a82910cbd1aebab8289287fc9a49d8c2e7b

SHA512
ac95bd2714d62733c8426ad17ceaac796a40c50c657d01ae3e20f13d4cab3c956cd35d82b82c4ecc1ed693f4bc0ffdc902de883a96e50be63a1be37d3302f8d1

Download Submit
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll
Filesize
17KB

MD5
08ce6457e0dad32ec2b95b85d8d12768

SHA1
b51ec32c5bbdfbd5b154f2d83a168e41f1691025

SHA256
1441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140

SHA512
f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307

Download Submit
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll
Filesize
17KB

MD5
08ce6457e0dad32ec2b95b85d8d12768

SHA1
b51ec32c5bbdfbd5b154f2d83a168e41f1691025

SHA256
1441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140

SHA512
f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307

Download Submit
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll
Filesize
17KB

MD5
08ce6457e0dad32ec2b95b85d8d12768

SHA1
b51ec32c5bbdfbd5b154f2d83a168e41f1691025

SHA256
1441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140

SHA512
f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307

Download Submit
\Users\Admin\AppData\Roaming\Founder Systems\ie2.dll
Filesize
17KB

MD5
08ce6457e0dad32ec2b95b85d8d12768

SHA1
b51ec32c5bbdfbd5b154f2d83a168e41f1691025

SHA256
1441a82b4a990a11d2374b028f91c9ddddc0d43f9359924d0d0cfdc3f7755140

SHA512
f531243975bc1d4f52a4aceff34973b803a9d2e41114d69f131e81f67cc112ea7cc6b8c2b7f107234e66811f67d66b49c59f9c6ab8b708ceda2133702cd12307

Download Submit
memory/564-61-0x0000000000000000-mapping.dmp

Download
memory/1088-82-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/1088-69-0x0000000000000000-mapping.dmp

Download
memory/1088-71-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/1088-85-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/1296-59-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmp

Filesize
10.1MB

Download
memory/1296-56-0x0000000000000000-mapping.dmp

Download
memory/1476-64-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads