Analysis Overview
SHA256
9c9e575ed0817fff5eaaa7af7c65da6be92b54e8f4fe4fcb6f6420074b850120
Threat Level: Known bad
The file 2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Neshta family
Neshta
Detect Neshta payload
Gh0strat
Sets DLL path for service in the registry
Reads user/profile data of web browsers
Modifies system executable filetype association
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-25 06:12
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 06:12
Reported
2024-05-25 06:14
Platform
win7-20240221-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Neshta
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259402643.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259403158.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\259403158.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\259402643.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 812 -s 96
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2240 -s 96
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259402643.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.200.14:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
| MD5 | 5caea0f6b94e2b8d42584a3c0ae968e5 |
| SHA1 | ea71086dcf9676de0f0d1beaefd7c5ddcd4c933d |
| SHA256 | b34040f3606bf59b1ed8b290996a99c63f3be0a1f1a67177c24da59b4ed2d830 |
| SHA512 | f88c9b4741faa66cbc55d135ef6349f49fde4253b4f8dfaf8983cc2538684f6c8d09c9ed2c9d96baf54c3180dd25c875b5965e01b40f9cf44b376cafae84206b |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
memory/2204-14-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
| MD5 | 03b1a6c3ca32de4fa42d45ae67ac976f |
| SHA1 | 0b4803e21ca2af279943418c1f98d47bc3134165 |
| SHA256 | 861ec218c522da4af8ede69ccd8f31954bd37d0b2107f8768a1b72d6457f9771 |
| SHA512 | c97aa98296ab4a9fa80931eefa653d63af818eec8b2f5230f325fe4c021c57e84a0cb469e8dbc96da43db11261ba3def76fed41f9007db4c59a33eb2b801497a |
C:\Windows\svchost.com
| MD5 | 10fcd0242c5d8cb36a248305c5babb21 |
| SHA1 | 8da5fc6e56e01fa59e8153118300c2854cb17421 |
| SHA256 | 13304d9a67a275e1e89a349bff9b7dd722530c58e23022d5de8e82dee7eff237 |
| SHA512 | 49b365c6d0f2f19c21894f3be89a542a0c10a1d2ac7caab436d5b169efb476ed843da4a4ccfbc450bafed89266d912ccd0948fda551d2d1c4568ef0373e47bfe |
memory/2204-51-0x0000000000400000-0x0000000000779000-memory.dmp
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | 02ee6a3424782531461fb2f10713d3c1 |
| SHA1 | b581a2c365d93ebb629e8363fd9f69afc673123f |
| SHA256 | ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc |
| SHA512 | 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec |
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
| MD5 | 25331b8a4c64e7bce6fe63eeef2f9f24 |
| SHA1 | 8af4d49674224934df94c101eb706e02c8bcd8c5 |
| SHA256 | e02db10472e7672f82eed2bc1c9e33ff0b422b3fe502f7096543553f59035882 |
| SHA512 | 46b8ccc3935c46872ee862448d0b3b4511290724cbc9bfbf7959d17393cdd5f61bc5e9bf724ad320d9c8586d3521afba2f499441eeb66a60b83f0a360a5eefab |
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
| MD5 | 566ed4f62fdc96f175afedd811fa0370 |
| SHA1 | d4b47adc40e0d5a9391d3f6f2942d1889dd2a451 |
| SHA256 | e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460 |
| SHA512 | cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7 |
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
| MD5 | 58b58875a50a0d8b5e7be7d6ac685164 |
| SHA1 | 1e0b89c1b2585c76e758e9141b846ed4477b0662 |
| SHA256 | 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae |
| SHA512 | d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b |
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
\Windows\SysWOW64\259402643.bat
| MD5 | 4307ba85c7954e88bd54abd964cf78fe |
| SHA1 | 7b118c745d616deb213c6058e7620e6a926a2108 |
| SHA256 | f5438d13b968c64e1e710f48ca74ca6aaeeeaed7bc485dcea35e486a4fed4b37 |
| SHA512 | d196db032f0dec69e9fca8644c393f6fab1347070b887e05d8ab2113a99990d92afe93421e71741a915fca5462337f1f3cef0a916b76539e3960bfd163914c8c |
\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
| MD5 | d03630dc968aae232a10fc0507727977 |
| SHA1 | c1fb90cbcfc414d013e02aa49dc6654b6ff45d51 |
| SHA256 | c9b5ab87aa09c521ab00abe664291bb2e833f018f0c8f3c00b719e35f101f140 |
| SHA512 | f559405af54194bc925f49377ce29d602084d15cfe7234f3d62644eba8129ebca57718a96c0e4099de233a2f0252e89958ec109a740a4eba4af3675569d67e2a |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
memory/2240-143-0x000000013F9D0000-0x000000013FBD9000-memory.dmp
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
| MD5 | c275134502929608464f4400dd4971ab |
| SHA1 | 107b91a5249425c83700d64aff4b57652039699d |
| SHA256 | ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831 |
| SHA512 | 913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d |
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE
| MD5 | 7ed0f5802e7fc1243b7c82862c5bf87c |
| SHA1 | e16741b5050df662da25419da6cf80517fc2a46a |
| SHA256 | 3342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595 |
| SHA512 | a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef |
memory/1796-140-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 34b496de3e42f44274e64328cd2bf91d |
| SHA1 | 62af4747fb62e4a0d26e0071ca4940a8e089a368 |
| SHA256 | c0b82f23137ef1cc172c6f20a159dd76b44a7f1183b89c33bf27ff0835737f0b |
| SHA512 | 5c57098a760e1ce3e932a95c3548c71886a94761999126e469f79f6fed9b51c20956526053e912d724ac1324645fea625d4886a3954830fd3f8550c25fbcad0f |
memory/812-135-0x000000013FBF0000-0x000000013FDF9000-memory.dmp
memory/1212-134-0x00000000029B0000-0x0000000002BB9000-memory.dmp
C:\Windows\SysWOW64\ini.ini
| MD5 | edc0bc4b9c100d093a035b7582e84180 |
| SHA1 | b254b433894384c11aa019c9f0c7a7fc4bbcdd8f |
| SHA256 | 119498f13d7abb148f014f90ac941ca82a75a08f95e094d3709131a31276083f |
| SHA512 | ff80f84d6395f70c2162f0c918f8fd4bdf3e6143ac75293c0911d69b06282d221992758ba533f516d5ffa9931fee09661b5efc9a8148d8dc79861b6d0817ea8a |
memory/2556-111-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6b3bfceb3942a9508a2148acbee89007 |
| SHA1 | 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3 |
| SHA256 | e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c |
| SHA512 | fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224 |
memory/2860-92-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE
| MD5 | 4f8fc8dc93d8171d0980edc8ad833b12 |
| SHA1 | dc2493a4d3a7cb460baed69edec4a89365dc401f |
| SHA256 | 1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e |
| SHA512 | bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6 |
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
| MD5 | 92ee5c55aca684cd07ed37b62348cd4e |
| SHA1 | 6534d1bc8552659f19bcc0faaa273af54a7ae54b |
| SHA256 | bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531 |
| SHA512 | fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22 |
memory/2816-262-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2388-263-0x0000000000400000-0x0000000000779000-memory.dmp
memory/1948-261-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1948-264-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2816-265-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2388-266-0x0000000000400000-0x0000000000779000-memory.dmp
memory/1948-268-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2816-269-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2240-270-0x000000013F9D0000-0x000000013FBD9000-memory.dmp
memory/2388-271-0x0000000000400000-0x0000000000779000-memory.dmp
memory/2388-305-0x0000000000400000-0x0000000000779000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 06:12
Reported
2024-05-25 06:15
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Neshta
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240615750.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240618453.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240615750.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240618453.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3948 set thread context of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1476 set thread context of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | C:\Windows\System32\RuntimeBroker.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~2.EXE
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240615750.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morgellonsfocusonhealth.com | udp |
| IT | 185.196.9.203:443 | morgellonsfocusonhealth.com | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 203.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| IT | 185.196.9.203:443 | morgellonsfocusonhealth.com | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.200.14:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| IT | 185.196.9.203:443 | morgellonsfocusonhealth.com | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| IT | 185.196.9.203:443 | morgellonsfocusonhealth.com | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
| MD5 | 5caea0f6b94e2b8d42584a3c0ae968e5 |
| SHA1 | ea71086dcf9676de0f0d1beaefd7c5ddcd4c933d |
| SHA256 | b34040f3606bf59b1ed8b290996a99c63f3be0a1f1a67177c24da59b4ed2d830 |
| SHA512 | f88c9b4741faa66cbc55d135ef6349f49fde4253b4f8dfaf8983cc2538684f6c8d09c9ed2c9d96baf54c3180dd25c875b5965e01b40f9cf44b376cafae84206b |
memory/4048-12-0x00000000025F0000-0x00000000025F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
| MD5 | 03b1a6c3ca32de4fa42d45ae67ac976f |
| SHA1 | 0b4803e21ca2af279943418c1f98d47bc3134165 |
| SHA256 | 861ec218c522da4af8ede69ccd8f31954bd37d0b2107f8768a1b72d6457f9771 |
| SHA512 | c97aa98296ab4a9fa80931eefa653d63af818eec8b2f5230f325fe4c021c57e84a0cb469e8dbc96da43db11261ba3def76fed41f9007db4c59a33eb2b801497a |
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_2024-05-25_c563927d8f56cfe7238b042829d5693d_cobalt-strike_cobaltstrike_darkgate_neshta.exe
| MD5 | 25331b8a4c64e7bce6fe63eeef2f9f24 |
| SHA1 | 8af4d49674224934df94c101eb706e02c8bcd8c5 |
| SHA256 | e02db10472e7672f82eed2bc1c9e33ff0b422b3fe502f7096543553f59035882 |
| SHA512 | 46b8ccc3935c46872ee862448d0b3b4511290724cbc9bfbf7959d17393cdd5f61bc5e9bf724ad320d9c8586d3521afba2f499441eeb66a60b83f0a360a5eefab |
C:\Windows\svchost.com
| MD5 | 10fcd0242c5d8cb36a248305c5babb21 |
| SHA1 | 8da5fc6e56e01fa59e8153118300c2854cb17421 |
| SHA256 | 13304d9a67a275e1e89a349bff9b7dd722530c58e23022d5de8e82dee7eff237 |
| SHA512 | 49b365c6d0f2f19c21894f3be89a542a0c10a1d2ac7caab436d5b169efb476ed843da4a4ccfbc450bafed89266d912ccd0948fda551d2d1c4568ef0373e47bfe |
memory/4048-128-0x0000000000400000-0x0000000000779000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
C:\Windows\SysWOW64\240615750.bat
| MD5 | 4307ba85c7954e88bd54abd964cf78fe |
| SHA1 | 7b118c745d616deb213c6058e7620e6a926a2108 |
| SHA256 | f5438d13b968c64e1e710f48ca74ca6aaeeeaed7bc485dcea35e486a4fed4b37 |
| SHA512 | d196db032f0dec69e9fca8644c393f6fab1347070b887e05d8ab2113a99990d92afe93421e71741a915fca5462337f1f3cef0a916b76539e3960bfd163914c8c |
C:\Users\Admin\AppData\Local\Temp\3582-490\HD__CACHE~1.EXE
| MD5 | d03630dc968aae232a10fc0507727977 |
| SHA1 | c1fb90cbcfc414d013e02aa49dc6654b6ff45d51 |
| SHA256 | c9b5ab87aa09c521ab00abe664291bb2e833f018f0c8f3c00b719e35f101f140 |
| SHA512 | f559405af54194bc925f49377ce29d602084d15cfe7234f3d62644eba8129ebca57718a96c0e4099de233a2f0252e89958ec109a740a4eba4af3675569d67e2a |
memory/3948-174-0x00007FF7EE260000-0x00007FF7EE469000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 316cf123fc3021e85e4a3cb3d703e83e |
| SHA1 | 0bc76376a2ee11616aacfe6284acb94bcb23c62d |
| SHA256 | 9b5ffbf037621537fe7769e01d0faffd042010b2019ce657b2d2419fd0e1db8e |
| SHA512 | ed0b5a4201d8f32e37a67477327996fc45ebd806057d3873012a2683e6f2170e50439f5ef5edcd15d1600d8313b70964d3a39f1151af32391bdac48da875278a |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 576410de51e63c3b5442540c8fdacbee |
| SHA1 | 8de673b679e0fee6e460cbf4f21ab728e41e0973 |
| SHA256 | 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe |
| SHA512 | f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
| MD5 | 471811cb30f5b707e1cb8d898ab9dd85 |
| SHA1 | d27a6db0457555ad5187eab3438073eb1034418e |
| SHA256 | f4609ed3168deec3c6150a064956ce61bea6e18c746e55ca0b032ba56fc1f75c |
| SHA512 | 118f658797e84b08dd5495406ebb1c0dec96833ddbfe189777640085ddc47c3a943c2effed4273f4fec679269d1849ff9cd54bb31a1abb632438225cfca9af29 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
| MD5 | 176436d406fd1aabebae353963b3ebcf |
| SHA1 | 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a |
| SHA256 | 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f |
| SHA512 | a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
| MD5 | 12c29dd57aa69f45ddd2e47620e0a8d9 |
| SHA1 | ba297aa3fe237ca916257bc46370b360a2db2223 |
| SHA256 | 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880 |
| SHA512 | 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 92dc0a5b61c98ac6ca3c9e09711e0a5d |
| SHA1 | f809f50cfdfbc469561bced921d0bad343a0d7b4 |
| SHA256 | 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc |
| SHA512 | d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 8c753d6448183dea5269445738486e01 |
| SHA1 | ebbbdc0022ca7487cd6294714cd3fbcb70923af9 |
| SHA256 | 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997 |
| SHA512 | 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | 4ddc609ae13a777493f3eeda70a81d40 |
| SHA1 | 8957c390f9b2c136d37190e32bccae3ae671c80a |
| SHA256 | 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950 |
| SHA512 | 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5 |
memory/3960-223-0x0000021857450000-0x000002185749C000-memory.dmp
memory/3948-224-0x00007FF7EE260000-0x00007FF7EE469000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 5791075058b526842f4601c46abd59f5 |
| SHA1 | b2748f7542e2eebcd0353c3720d92bbffad8678f |
| SHA256 | 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394 |
| SHA512 | 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 9dfcdd1ab508b26917bb2461488d8605 |
| SHA1 | 4ba6342bcf4942ade05fb12db83da89dc8c56a21 |
| SHA256 | ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5 |
| SHA512 | 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137 |
memory/2756-206-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | 15f4411f1b14234b5bed948ed78fa86e |
| SHA1 | f9775a3d87efb22702d934322ffcda3511b79c17 |
| SHA256 | cd6c08078343089d299a30f7bf16555ab349e946892dca1c49c6c0336d27ff0e |
| SHA512 | c44d2e96d6d0264075379066fd5d11ba30a675bb6f6b6279c4ac0d12066975c30c33b69b52457cbed4e35852e8b15b3daad9274d6f957ae0681fb7a6c48a33cb |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
| MD5 | e7a27a45efa530c657f58fda9f3b9f4a |
| SHA1 | 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461 |
| SHA256 | d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5 |
| SHA512 | 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | bcd0f32f28d3c2ba8f53d1052d05252d |
| SHA1 | c29b4591df930dabc1a4bd0fa2c0ad91500eafb2 |
| SHA256 | bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb |
| SHA512 | 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10 |
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe
| MD5 | e9fb27bf62ef26b3288b5fe9ddf2f482 |
| SHA1 | eb4908aa50c11ae43df2fbdb0c80ddd41443624e |
| SHA256 | 9ea04cf00d8c01e4099195e5289c2e8221cdb7217c773222d1a55473b854f1b3 |
| SHA512 | 89fc0a4d2fa078315ca25ddeeaaa911ffb82d10669b0987d9bd67b149e09d73d0c356c656a519be7d65b93da831ea9da4f7617595ec01697390ca8bb00743ffa |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 301d7f5daa3b48c83df5f6b35de99982 |
| SHA1 | 17e68d91f3ec1eabde1451351cc690a1978d2cd4 |
| SHA256 | abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee |
| SHA512 | 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | c760927ed7cda182f0b07d01726bdc5d |
| SHA1 | 0fcda8123ccdb32d0a3f1b3f986285acb14b173e |
| SHA256 | b56cb5c190ed0c3227fa708b53f9fa56d54e0f2acda7c73c2d7c7158ea3e198a |
| SHA512 | 7c998b308eb1133c68d1dda31c0a3abf66836ff0c600c1f32d3dc790291a065d5dce36bad39f26a09ffc97c475c34d1f6e416146f8a39f213a34fd1a253317db |
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
| MD5 | 99ac881582035c636c2359fcc7c72b71 |
| SHA1 | 34e222ce94d0fb0cbfe61e7e37d527c01a413e5e |
| SHA256 | 8aa538991767d32b538ad399c1e2af1e536ab9fc04ca70f13c0728347f404753 |
| SHA512 | 44bd12f2e8da0bd02c0348720bc73d00823ab9bb6a5ef7eba1881dacf0817c37d763b0cc3ab201e958822220ecc4d93a871ca693bb0f6ed95c1b26eb7a00d6f2 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
| MD5 | 23b1708cd5e7409832fe36f125844e7a |
| SHA1 | 39ec7d4322cf4ccea82ee65343d05459c5eb3f3e |
| SHA256 | 03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f |
| SHA512 | d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e |
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
| MD5 | 97510a7d9bf0811a6ea89fad85a9f3f3 |
| SHA1 | 2ac0c49b66a92789be65580a38ae9798237711db |
| SHA256 | c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea |
| SHA512 | 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb |
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
| MD5 | 07e194ce831b1846111eb6c8b176c86e |
| SHA1 | b9c83ec3b0949cb661878fb1a8b43a073e15baf1 |
| SHA256 | d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac |
| SHA512 | 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5 |
C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE
| MD5 | 2f826daacb184077b67aad3fe30e3413 |
| SHA1 | 981d415fe70414aaac3a11024e65ae2e949aced8 |
| SHA256 | a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222 |
| SHA512 | 2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb |
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE
| MD5 | 1319acbba64ecbcd5e3f16fc3acd693c |
| SHA1 | f5d64f97194846bd0564d20ee290d35dd3df40b0 |
| SHA256 | 8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce |
| SHA512 | abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8 |
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE
| MD5 | f3228c24035b3f54f78bb4fd11c36aeb |
| SHA1 | 2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb |
| SHA256 | d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7 |
| SHA512 | b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5 |
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
| MD5 | 63dc05e27a0b43bf25f151751b481b8c |
| SHA1 | b20321483dac62bce0aa0cef1d193d247747e189 |
| SHA256 | 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce |
| SHA512 | 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3 |
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
| MD5 | 8a403bc371b84920c641afa3cf9fef2f |
| SHA1 | d6c9d38f3e571b54132dd7ee31a169c683abfd63 |
| SHA256 | 614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3 |
| SHA512 | b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72 |
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
| MD5 | 86749cd13537a694795be5d87ef7106d |
| SHA1 | 538030845680a8be8219618daee29e368dc1e06c |
| SHA256 | 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5 |
| SHA512 | 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE
| MD5 | da18586b25e72ff40c0f24da690a2edc |
| SHA1 | 27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5 |
| SHA256 | 67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e |
| SHA512 | 3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
| MD5 | 27543bab17420af611ccc3029db9465a |
| SHA1 | f0f96fd53f9695737a3fa6145bc5a6ce58227966 |
| SHA256 | 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c |
| SHA512 | a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | eb008f1890fed6dc7d13a25ff9c35724 |
| SHA1 | 751d3b944f160b1f77c1c8852af25b65ae9d649c |
| SHA256 | a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090 |
| SHA512 | 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
| MD5 | 41b1e87b538616c6020369134cbce857 |
| SHA1 | a255c7fef7ba2fc1a7c45d992270d5af023c5f67 |
| SHA256 | 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3 |
| SHA512 | 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | 5e08d87c074f0f8e3a8e8c76c5bf92ee |
| SHA1 | f52a554a5029fb4749842b2213d4196c95d48561 |
| SHA256 | 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714 |
| SHA512 | dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | 7c73e01bd682dc67ef2fbb679be99866 |
| SHA1 | ad3834bd9f95f8bf64eb5be0a610427940407117 |
| SHA256 | da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d |
| SHA512 | b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711 |
C:\PROGRA~2\Google\Update\DISABL~1.EXE
| MD5 | 3b0e91f9bb6c1f38f7b058c91300e582 |
| SHA1 | 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f |
| SHA256 | 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d |
| SHA512 | a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f |
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
| MD5 | f7c714dbf8e08ca2ed1a2bfb8ca97668 |
| SHA1 | cc78bf232157f98b68b8d81327f9f826dabb18ab |
| SHA256 | fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899 |
| SHA512 | 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
| MD5 | 25e165d6a9c6c0c77ee1f94c9e58754b |
| SHA1 | 9b614c1280c75d058508bba2a468f376444b10c1 |
| SHA256 | 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217 |
| SHA512 | 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf |
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
| MD5 | e5589ec1e4edb74cc7facdaac2acabfd |
| SHA1 | 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f |
| SHA256 | 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67 |
| SHA512 | f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a |
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
| MD5 | 96a14f39834c93363eebf40ae941242c |
| SHA1 | 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc |
| SHA256 | 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a |
| SHA512 | fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
| MD5 | 400836f307cf7dbfb469cefd3b0391e7 |
| SHA1 | 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10 |
| SHA256 | cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a |
| SHA512 | aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8 |
memory/3096-259-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
| MD5 | 6f87ccb8ab73b21c9b8288b812de8efa |
| SHA1 | a709254f843a4cb50eec3bb0a4170ad3e74ea9b3 |
| SHA256 | 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22 |
| SHA512 | 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
| MD5 | 0511abca39ed6d36fff86a8b6f2266cd |
| SHA1 | bfe55ac898d7a570ec535328b6283a1cdfa33b00 |
| SHA256 | 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8 |
| SHA512 | 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346 |
memory/408-355-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1476-354-0x00007FF6BA740000-0x00007FF6BA949000-memory.dmp
memory/1476-357-0x00007FF6BA740000-0x00007FF6BA949000-memory.dmp
memory/1160-359-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3672-360-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4316-361-0x0000000000400000-0x0000000000779000-memory.dmp
memory/1160-362-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3672-363-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3960-364-0x00007FFD5C550000-0x00007FFD5C69B000-memory.dmp
memory/3960-365-0x0000021857500000-0x0000021857502000-memory.dmp
memory/1160-367-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3672-368-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1160-370-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3672-371-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3672-376-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1160-375-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4316-388-0x0000000000400000-0x0000000000779000-memory.dmp
memory/4316-398-0x0000000000400000-0x0000000000779000-memory.dmp