82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Size

1.1MB
MD5

602faf2b2861a0daaa40542abf823102
SHA1

da12ddc68e3e679be0ca0874e01003ea8fa354ef
SHA256

82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6
SHA512

e027f8b63f9ded1ef561005fac56ff01d11e12a41f2dff7353d67ffffa3d3e401c2c78686ddbb6faa77085c473dc4dd5dca1d0595affbd91afe0545510c85450
SSDEEP

24576:WxWVeyRYEwzYDteYIpLU4O8b8ITDnlieqiG:W8YBU4O8b8ITDnlieqv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3004	hxdsuimicrosoft.exe
1776	msader15operating.exe
956	msb1xtoroffice.exe
2612	dexploitationmicrosoft.exe

Loads dropped DLL 4 IoCs

pid	Process
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msb1xtorwtsp61ms14.0.4730.1010 = "c:\\program files (x86)\\common files\\microsoft shared\\translat\\msb1xtoroffice.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallerApplication = "c:\\program files (x86)\\common files\\adobe air\\versions\\1.0\\installeradobe.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\OperatingSystem = "c:\\program files (x86)\\common files\\system\\ado\\ja-jp\\msader15operating.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Microsoftdexploitation = "c:\\program files (x86)\\common files\\system\\fr-fr\\dexploitationmicrosoft.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\microsofthelp.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\HXDSUIMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsuimicrosoft.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	hxdsuimicrosoft.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	msader15operating.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	msb1xtoroffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	dexploitationmicrosoft.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\HXDSUIMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\MicrosoftHelp.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\RCX6220.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\dexploitationMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\RCX6221.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorOffice.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\RCX4C9B.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCX6241.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\RCX4C5C.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\RCX4CBB.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15Operating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\InstallerAdobe.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\InstallerAdobe.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\HXDSUIMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	hxdsuimicrosoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	msb1xtoroffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dexploitationmicrosoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msader15operating.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	hxdsuimicrosoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msb1xtoroffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msb1xtoroffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dexploitationmicrosoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msader15operating.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	msader15operating.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dexploitationmicrosoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	hxdsuimicrosoft.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3004	hxdsuimicrosoft.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
1776	msader15operating.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
956	msb1xtoroffice.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
2612	dexploitationmicrosoft.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3004	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	30
PID 3056 wrote to memory of 3004	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	30
PID 3056 wrote to memory of 3004	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	30
PID 3056 wrote to memory of 3004	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	30
PID 3056 wrote to memory of 1776	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	32
PID 3056 wrote to memory of 1776	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	32
PID 3056 wrote to memory of 1776	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	32
PID 3056 wrote to memory of 1776	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	32
PID 3056 wrote to memory of 956	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	34
PID 3056 wrote to memory of 956	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	34
PID 3056 wrote to memory of 956	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	34
PID 3056 wrote to memory of 956	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	34
PID 3056 wrote to memory of 2612	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	35
PID 3056 wrote to memory of 2612	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	35
PID 3056 wrote to memory of 2612	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	35
PID 3056 wrote to memory of 2612	3056	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe	35

C:\Users\Admin\AppData\Local\Temp\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
"C:\Users\Admin\AppData\Local\Temp\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\program files (x86)\common files\microsoft shared\help\1040\hxdsuimicrosoft.exe
  "c:\program files (x86)\common files\microsoft shared\help\1040\hxdsuimicrosoft.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- \??\c:\program files (x86)\common files\system\ado\ja-jp\msader15operating.exe
  "c:\program files (x86)\common files\system\ado\ja-jp\msader15operating.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- \??\c:\program files (x86)\common files\microsoft shared\translat\msb1xtoroffice.exe
  "c:\program files (x86)\common files\microsoft shared\translat\msb1xtoroffice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- \??\c:\program files (x86)\common files\system\fr-fr\dexploitationmicrosoft.exe
  "c:\program files (x86)\common files\system\fr-fr\dexploitationmicrosoft.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\InstallerAdobe.exe

Filesize
1.1MB

MD5
0b9deb418ab02a6434b80d70f2e4d8d7

SHA1
2949106551e256f9fb1fa84bfd4731f45f1cee6a

SHA256
df798e1a217c462d0d99726a1e616cd5c71662cf5eb8aa3e4976596bc34801b2

SHA512
3ae5a760462202b9dd1dac1c6b84f3effe0368aef478518bacb183d4b21107c233a1a252bf459913c9cfada4e91410ec526fafadea850fed5bbce337e9722d17

Download Submit
C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15Operating.exe

Filesize
448KB

MD5
7d41a96c6f4d84ddf8d5290ee601687d

SHA1
9514ca828a52ce12fd89ac5fa34d4bdec1a7824a

SHA256
c8beca6b02b3403375d5394186577e5c153624da0537df7d3ac4c4d728c442d6

SHA512
1fbd5240bfab6d881fe5b7834d9e6be59a5f825b5ce7fe4f4aaf71fe6ee50342b89ea5db2eaa0fd8954f5db227d3670866de5d9e7dc8d6ab242690655c5b497f

Download Submit
C:\Program Files (x86)\Common Files\System\fr-FR\dexploitationMicrosoft.exe

Filesize
448KB

MD5
bbec782eb59e5afde2b6a92a962369a5

SHA1
ee5f3b66b163cb47b38c07f40c9ac3b4071ec6e0

SHA256
fe96b5b07daa6704a32a1e271f4f66ee0105e2154fbb94d3f8e61642b4997fac

SHA512
aa2756f17f1e15938379650fd4328e4f02b6c0054b51c0fa46acb292f96ee83d431468897878c6d7db521ba10b143379f795f96715a318eb9762f8d351c62f13

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\HXDSUIMicrosoft.exe

Filesize
1.1MB

MD5
602faf2b2861a0daaa40542abf823102

SHA1
da12ddc68e3e679be0ca0874e01003ea8fa354ef

SHA256
82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6

SHA512
e027f8b63f9ded1ef561005fac56ff01d11e12a41f2dff7353d67ffffa3d3e401c2c78686ddbb6faa77085c473dc4dd5dca1d0595affbd91afe0545510c85450

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorOffice.exe

Filesize
1.1MB

MD5
50b1f18dd5a21c5594e098181408402a

SHA1
c2207c98d4e4ce20545e984af58de41aab141685

SHA256
a3cc9bb6cbf7fc7cf88a7b73463448d7b66bb1ca4df32fbc5339f88312b2f6fb

SHA512
87a67d59021b01b5010f30731055337d5ceefe78c25d5e87dfe95c5ea3f0099a58b03626beb84d31382854667ce4ab01528d7dd078d9562a2e14f5960d540cdf

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorOffice.exe

Filesize
128KB

MD5
767ade95131f7424e5e46aa52cb75455

SHA1
506429fae5ab3fbc43f48139a1a284645d8b4a6d

SHA256
b57e098466d84015aef303d5c6408d7ee7a9f0873df6bd2b9061a22aa0764488

SHA512
80f52f82d36b04187a82b5497a07820885a57d8c51ffd7d56533ca7cef7410827661eb08038dcede92c5af24de5e382b36a20efd14b58994e0c1a23345738af0

Download Submit
\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorOffice.exe

Filesize
448KB

MD5
a3b19e81780db94329deefbc4980e937

SHA1
3feaa00d07129c050575b13e37658553d6f7fdc5

SHA256
03dd73e55e9193b64c2ca09f89e4ec3bd880d1792738528cf45da9e5c2ab8c1a

SHA512
3d9e118ab3c633f4bbf3fe6ed993acdcf2bdc707a746d5482face5d4faee5ddd59eeb394f80c5c06662f65b640e2078b7abe930281ae123f278193062bfc22de

Download Submit