neshta | dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2

General

Target

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Size

916KB
MD5

0e6eccc2cb4555748e5b1dec1ea8e0b0
SHA1

3eba614e98ff631ecb30bcc1cc3cfe4824747dff
SHA256

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2
SHA512

75926bd3d19ef06f38581ad03a95eb99dfed1b0505484680abc633e36200e02bc8fb72bbe1caf4241446edd398650f0ad3a3ecc12b78e2758c29adc843703452
SSDEEP

12288:aW6VgX0SyGUsp8Qd/zDdz+A+hi6+pE30vwmC46oSVISpn7awwgoSPpi6:a/lGl6Qp3R+hos4w74YGwJpi6

Score

10^/10

neshta evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

pid process

588 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

pid	process
588	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	upx
behavioral1/memory/588-61-0x0000000000400000-0x0000000000953000-memory.dmp	upx
behavioral1/memory/588-63-0x0000000000400000-0x0000000000953000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Loads dropped DLL 2 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

pid	process
2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Drops file in Windows directory 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description ioc process

File opened for modification C:\Windows\svchost.com dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Modifies registry class 3 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exedbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\FalconBetaAccount	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\FalconBetaAccount\remote_access_client_id = "3963166387"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description pid process

Token: SeManageVolumePrivilege 588 dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	pid	process
Token: SeManageVolumePrivilege	588	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

description	pid	process	target process
PID 2024 wrote to memory of 588	2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 2024 wrote to memory of 588	2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 2024 wrote to memory of 588	2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
PID 2024 wrote to memory of 588	2024	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe	dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe

C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
"C:\Users\Admin\AppData\Local\Temp\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe"
2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Filesize
875KB

MD5
2c1ef6485eeb834187fc69556a64eafe

SHA1
c959e7d82203d234eb4912c61f05a450417c8c36

SHA256
7f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56

SHA512
7f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Filesize
875KB

MD5
2c1ef6485eeb834187fc69556a64eafe

SHA1
c959e7d82203d234eb4912c61f05a450417c8c36

SHA256
7f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56

SHA512
7f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dbfe97ff3dfd3889ca63c32b43dd67911e8706fe98f2c35f6cd342a70b24a0b2.exe
Filesize
875KB

MD5
2c1ef6485eeb834187fc69556a64eafe

SHA1
c959e7d82203d234eb4912c61f05a450417c8c36

SHA256
7f25b9bbec978f3f3810d1e064d2ca9330061bd9d0f7df9c3370f020e9d38e56

SHA512
7f8041ec2d84ed23dd31a4733680e3228bdd12564109f107a57aa341dbd2813d016f154ae0f6dd0957aa67bb4d2ba96bbd6ce555cb366ebd163e9ca9c78e27f7

Download Submit
memory/588-56-0x0000000000000000-mapping.dmp

Download
memory/588-61-0x0000000000400000-0x0000000000953000-memory.dmp

Filesize
5.3MB

Download
memory/588-63-0x0000000000400000-0x0000000000953000-memory.dmp

Filesize
5.3MB

Download
memory/2024-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/2024-60-0x00000000025F0000-0x0000000002B43000-memory.dmp

Filesize
5.3MB

Download
memory/2024-62-0x00000000025F0000-0x0000000002B43000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads