neshta | e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc

Analysis

max time kernel
54s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe
Size

1.9MB
MD5

53f14218153b3ccb3e55fb6220cfc2ef
SHA1

44c836fa1837f4ee85b076d99050c137501cf345
SHA256

e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc
SHA512

2e3d91b1f4e89df9ebadd2e18fd0a90b6f95bcdfe21e120ad0d4ad0d75a9fef8facfc3a7414fbc8a647d4594ce581e0932a84b93984a8e3c9204dd54729f507d
SSDEEP

49152:Rw2PjCSK6Q70zKaOF0RBl0Id/oz5nxTeYuc9t2:aoBWIA5nxjF9t2

Score

10^/10

neshta predatorstealer persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 41 IoCs

resource	yara_rule
behavioral1/memory/560-1-0x00000000002E0000-0x00000000004D2000-memory.dmp	family_neshta
behavioral1/files/0x000a000000012264-6.dat	family_neshta
behavioral1/files/0x0008000000018f9a-22.dat	family_neshta
behavioral1/files/0x0003000000010343-24.dat	family_neshta
behavioral1/files/0x0002000000010334-27.dat	family_neshta
behavioral1/files/0x0001000000010b93-53.dat	family_neshta
behavioral1/files/0x0001000000011876-63.dat	family_neshta
behavioral1/files/0x00010000000115f9-104.dat	family_neshta
behavioral1/files/0x0001000000011607-106.dat	family_neshta
behavioral1/files/0x0001000000011872-111.dat	family_neshta
behavioral1/files/0x0001000000010f31-113.dat	family_neshta
behavioral1/files/0x0001000000011875-116.dat	family_neshta
behavioral1/files/0x0001000000010f43-117.dat	family_neshta
behavioral1/files/0x0001000000010f4c-123.dat	family_neshta
behavioral1/files/0x0001000000010fc9-130.dat	family_neshta
behavioral1/files/0x00010000000118f7-128.dat	family_neshta
behavioral1/files/0x0001000000010f94-127.dat	family_neshta
behavioral1/files/0x000200000001107f-135.dat	family_neshta
behavioral1/files/0x0001000000011273-140.dat	family_neshta
behavioral1/files/0x0001000000011b5a-143.dat	family_neshta
behavioral1/files/0x0001000000011287-144.dat	family_neshta
behavioral1/files/0x00030000000120d9-148.dat	family_neshta
behavioral1/files/0x00030000000120dd-151.dat	family_neshta
behavioral1/files/0x00050000000055de-163.dat	family_neshta
behavioral1/files/0x000300000000e6f5-165.dat	family_neshta
behavioral1/files/0x0004000000005726-166.dat	family_neshta
behavioral1/files/0x0003000000005ab6-164.dat	family_neshta
behavioral1/files/0x000d0000000056d4-167.dat	family_neshta
behavioral1/files/0x000b000000005986-168.dat	family_neshta
behavioral1/memory/960-169-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-170-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/960-171-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-172-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/960-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-174-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/960-175-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/960-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-178-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2880-182-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/960-183-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Executes dropped EXE 2 IoCs

pid	Process
960	windows update.exe
2880	windows update.exe

Loads dropped DLL 17 IoCs

pid	Process
560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe
560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe
2880	windows update.exe
2880	windows update.exe
2880	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
2880	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe
960	windows update.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	windows update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	windows update.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	windows update.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	windows update.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	windows update.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	windows update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	windows update.exe
File opened for modification	C:\Windows\svchost.com	windows update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	windows update.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 960	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	29
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30
PID 560 wrote to memory of 2880	560	e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe	30

C:\Users\Admin\AppData\Local\Temp\e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe
"C:\Users\Admin\AppData\Local\Temp\e593236ed9903c8ba7fbbc9fed15bfd60a7e591cd27f0ba815a1fd1a9aab74bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\windows update.exe
  "C:\Users\Admin\AppData\Local\Temp\windows update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:960
- C:\Users\Admin\AppData\Local\Temp\windows update.exe
  "C:\Users\Admin\AppData\Local\Temp\windows update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

Filesize
588KB

MD5
c275134502929608464f4400dd4971ab

SHA1
107b91a5249425c83700d64aff4b57652039699d

SHA256
ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831

SHA512
913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
194KB

MD5
623288b46813a3c1c960b801762a3fde

SHA1
c73da36974aac1c21f57afde8879a8c5fb7b6a4c

SHA256
65777f734ceaa4a20a594cd0b52d7a02ee9a200f01641817ad9526b79117c3ff

SHA512
573d760b64c417dac7d9e765766e38ae465f2c0c0d177933302731048a5f4661964e60676844e57780eb65ef94cbcde1378e75d8d0a30c6a26bc1413e43c3eba

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

Filesize
605KB

MD5
8acc19705a625e2d4fa8b65214d7070a

SHA1
ad16e49369c76c6826a18d136bf9618e8e99ec12

SHA256
3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

SHA512
92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE

Filesize
1.7MB

MD5
33cb3cf0d9917a68f54802460cbbc452

SHA1
4f2e4447fabee92be16806f33983bb71e921792b

SHA256
1230b2032d2d35a55cd86d1215eb38fa18bcf590c3c19b9ac4dda5350c24e10a

SHA512
851f0a098020cb1da3f5f48febce3b9eaef3b885df9134b3fb6b364f3a7572a8c516456710a15f66f0a44eff59cfa50f2dc8bb5d274e5c093294b2ea96fd49cb

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
109KB

MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE

Filesize
741KB

MD5
5d2fd8de43da81187b030d6357ab75ce

SHA1
327122ef6afaffc61a86193fbe3d1cbabb75407e

SHA256
4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

SHA512
9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

Filesize
392KB

MD5
25b9301a6557a958b0a64752342be27d

SHA1
0887e1a9389a711ef8b82da8e53d9a03901edebc

SHA256
5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

SHA512
985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

Filesize
694KB

MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
144KB

MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

Filesize
127KB

MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE

Filesize
308KB

MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE

Filesize
1.6MB

MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE

Filesize
1.8MB

MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

Filesize
1.5MB

MD5
93766da984541820057ae0ab3d578928

SHA1
ea19a657c6b1b5eb5accc09c45dcf04f063151c3

SHA256
ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

SHA512
e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
267KB

MD5
15163eb05b0a8f65a5ca3c74a658077d

SHA1
8b116062a5754fa2d73fc4df9f635283ae1ccd02

SHA256
8751c43ee0f3f0e080103a9b77be9e79346004769ed43d4cadd630ea15d26dcf

SHA512
a8299e9a522aa58429847920b999598551c1863f63ba473178f61cde43fb91cab6ef62c9e1a51268e54338e012ccfe6428a7c37bc89007d1604fafa2560258c9

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
7e3b8ddfa6bd68ca8f557254c3188aea

SHA1
bafaaaa987c86048b0cf0153e1147e1bbad39b0c

SHA256
8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2

SHA512
675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
7a81734925f7cb7617fa8c5949434d2d

SHA1
d235362248820a3e01111535ac0d383d0cf8f602

SHA256
2612a37955b885949d4a77596f9065b138504551d3332f91a245abd16d7cb44b

SHA512
68dfdac4d323ff3bff140ae39cd15f8adc0744a9808484b51ebeef3552fc5b796ddb4e0161863ce41b5230bbc91245917970b73f05429504ee8f944ae190affb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
3c86c25a76c1413747ae8851bead4bac

SHA1
9342be761a661f51d85fd49fa9b75818aa0c4851

SHA256
b7ff698e4395c9e682027bc710a529139dcc602d97e374fc294bcf5198073493

SHA512
e70376561100d6a4769bc91e4daa3c224ed39f8412391a5ee9b9cae83d08dd2229a25f9099f5336810a757d95b6e81faa30608f35d8761b1c4cc0f41313cb43f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
349c6f2f4e32553e8fea4d29772e40e6

SHA1
e2f7856aa519006f8cbc9943cc3fb34c4461932d

SHA256
7c4fd44a9cda339ac3e7fa93b0b2a24b1e0ac16996dbb19cfdcd6323170b1fd3

SHA512
0b9f9aafb1a682f9e5a5dccae0dc19e3cf21c5d2aa4df3e22311f5744255f668e9a1e11ee21f2656d9f45236c484e0b7b460a57db1c34f2d344bd4cbece42588

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
261b20dc81bdd7def64bc1bcee858a37

SHA1
75965a4be13e839a39685bc818c79cd98c0edb10

SHA256
63927b22c5fc994790c3365460bd421f587138b7074aabe046e379f428ab4298

SHA512
6e76356b663e131d7eabdfee3b2ce80934f7630593d84cdd1566991e02bf38d60337ce2a1c893f7b9c35bdf8cc44b84ae9855b1e13f94d257ed70206a125f330

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\windows update.exe

Filesize
1.3MB

MD5
382d5863f3ce1b5a2230a380cffbddb7

SHA1
450bfb8654c363242979ba1fb0c1854c61d95aa6

SHA256
8ba6eca5fc9bd451306f79b17beb58ab634b11bdca6824450d22d307a996cdad

SHA512
823ac76685b651c4878e0211b5ca9048fb739e05af4c26e40e6173a812b3753867a4bff09fdd3f17c128714672ca28baa04a0cd30554426cfb4e8b48c5882c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
c684a258d6f96f74f6f0cf44d55731f6

SHA1
f1ebf8cf4c0edae906b462acd40145d8432d9161

SHA256
f9ec00c5968fa27b7cd794bed476ee079ec54cecd764bd7781fc11ee2bf8f17b

SHA512
17095cedee7cb71a8b5618fed19299a86b3db89525ca2a6abf4744766139ef32e91f70fad2603b06010bbcc2b918b6e6ffc5725c8225244350336984441c0fdb

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
25824b4594ccc54fbf3f2f600edb261f

SHA1
4db87e1187f9662fa8938ea07597634f3949d058

SHA256
30f5897e2825899d8936452d0d8d518555c1c01bd4b936e8d3ed160fed51cea5

SHA512
b7c5403c22a627dc1e9a0d66c117bd3434bc923fa107c6860046deed041a780b55cfc4a6dda4a2f891dbcf66b27067e32bd275d5b8d1657fb56aeb889c50b499

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\MICROS~1\Office14\PPTICO.EXE

Filesize
3.7MB

MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
\Users\Admin\AppData\Local\Temp\windows update.exe

Filesize
1.3MB

MD5
c2e6f93ed18d8997b8e3f42bc1436334

SHA1
b978d6a32e5d240a68f0375f59fd3eb3aacb85e1

SHA256
0ea59cdf4c49e10f0b6523af21b81ce1d6fb74816a050e02a9750d8752b860ad

SHA512
330d1544d6b36ebdc309c666babb35dbad73f6057606d2d0cd0b4c8a548d3667327f6a68160a3faa6e3ad965235393bab18d2a8ed262bab78ecf40153c6e971c

Download Submit
memory/560-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/560-1-0x00000000002E0000-0x00000000004D2000-memory.dmp

Filesize
1.9MB

Download
memory/960-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/960-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-174-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads