neshta | 3f2f807909bd394fdd62a8610cba8ea933cdcdcfc4d1692d506dc52805b0790e

Analysis

max time kernel
141s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
Size

483KB
MD5

b8ca3b185e0221af2b3963b1e0aa9a55
SHA1

7ab65efceb9265434ec8f5911744ceee4ee8506f
SHA256

3f2f807909bd394fdd62a8610cba8ea933cdcdcfc4d1692d506dc52805b0790e
SHA512

232d7695fa9cbe28428bd6b36de17640e6771025d75114c01ea8026690fa699898dba9d35da75dd2dd6f026983d3937b8869af5aea1ae714470113eb4c46ab4a
SSDEEP

6144:k9I5c/572jwhhwVgS0YYljRKSVAQSeTrJQOcsPWWqXMsZ1RdHnW++Pgq7GqeceA5:jc/5721VghlVP1TlQEW5XvzjJqec5BzH

Score

10^/10

neshta discovery persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020238-132.dat	family_neshta
behavioral2/memory/4844-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4844-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4844-221-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002342c-4.dat	upx
behavioral2/memory/4140-11-0x0000000000400000-0x000000000050E000-memory.dmp	upx
behavioral2/memory/4140-214-0x0000000000400000-0x000000000050E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4140	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
4140	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4140	4844	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe	85
PID 4844 wrote to memory of 4140	4844	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe	85
PID 4844 wrote to memory of 4140	4844	b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\3582-490\b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b8ca3b185e0221af2b3963b1e0aa9a55_JaffaCakes118.exe

Filesize
443KB

MD5
68efcc574eecf1f28bb4760eaae588d0

SHA1
af5e063cd7c33a9aabca8d82ce943226c569b8cb

SHA256
f5f606d7cd434172abadb840fb6af63f682205dd3eaece20cb41dfb2724fc640

SHA512
1fe4a9a57c9a54fa41f0c0b78ea5812ead2604409cfe3e542e31f895b31cf37ea9989dddc45a5e84a6fff1248dbdbc636bd652294ad6b5877699cabdec6cce09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\bootstrap_45479.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\css\main.css

Filesize
2KB

MD5
1633a849b3259c9f3bf42a61c7dc4aad

SHA1
563284abaa9a4766b0386d84953a8025a710e706

SHA256
8801d8472baeba473bdfbddc07a681399641744e0096f5738178016de9f2b699

SHA512
52eef17ae9b4c9f6dc7a42eb4e18762ba275b903d97291ddad367b5d3040ed831d760f21162fae7b262e9754af2c2a112facf6563f0f3074a2e64d3c65ee6f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\css\progress-bar.css

Filesize
354B

MD5
02e0568b3ec869192fd02ac1c8dceb01

SHA1
34fbcfeff36bf67480d002422d045da318b1b066

SHA256
ad868e38e0a3652e9ade55414240ee10a5b611be43e813b5e5c3a8a7267184ee

SHA512
12d8853c3a0ed8619a1c142c4f47fc80e84dce85ceed757c024d7a05999aaa6b6e199f595a956e9c06b68d4a66f55d68b216c0110ca41906062d040f566a4776

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\green_btn.png

Filesize
1KB

MD5
af79093f546c33df9c7d611b1679b204

SHA1
b20cd1e4305ecf062c600744a69354378b2d5b0c

SHA256
d7d33460bf7ba5d80af40e9d7436fa9fd1f270fdbce7246dfb1af5e74c52a8c0

SHA512
c93c6551d103a0e466247318df6dc01e56096f61a07c865c928a6c622923b279ec358481daf54a98c4a2aeb1c9675831cc68b3b284b9503c6a950ddf41837191

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\grey_btn.png

Filesize
1KB

MD5
a3a8fc73c463d664e974deb785879a54

SHA1
9921ac8f3ad125419875c53dff60b72bb461d8a6

SHA256
e9c48318d514b58c2ac8cf9005806579e87313e47d521823c15dcd389247ac80

SHA512
28ec81c6b47c11dda34667e2b3c68d509c28977a5adff1d97423638be2d3b1192d09ee193ce7f71f41986312b4f5f0fc31ce1fe5e6c5fd1d9237d756e99308fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\loader.gif

Filesize
8KB

MD5
a27ffbba261e7d202bc595db4ef02a24

SHA1
83be172e78b7c4cf303b7bd3bccfbf2fc0330029

SHA256
6a5626abfd30faa68956f7b0af4bf0c8977adbc9b5f69217b19421cd9fc1f68e

SHA512
1bd82e41755608dfede0077ba1c053afaaec2152030da0d5aa4f4879d4d15f89d6fd3f4522aee522b2dab18a65d9b80ae7e9c870adeeef7b279b293172297b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\loading.gif

Filesize
419B

MD5
bf09337ebdd68763060cbd7b5e934fda

SHA1
14cd064c97c60da895c1b08569dc7961fc5320b5

SHA256
b27be16124eac99a97922357fdac1aef7d1efb339a223946dcf50a1b0fd9913e

SHA512
dd11a82b4a18d3111c85f7829020dd5e37f3935f8c2142992557187a98ca1aec58ad572382b386fee16604a32aa57a607361a7775bcf07e08a03324c2d9c9c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\main.png

Filesize
4KB

MD5
8279be72a28bcf097489e57b58df98e9

SHA1
8a1c9c47449c8291ce4ec6c27e19598c75ed3ed7

SHA256
505219690ce590ec4fafe19ed4a4a1eb453be5d6d236ab5210b0a260b768420e

SHA512
0cea0b6f5b2ff6ade1260a68b97532842cd5f6867e04083f70c25e38aa5a26309996d54a4a057d9805dec3aef07484efcd1ef869c6631d48f4c6859d89143e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\offer-loader.gif

Filesize
8KB

MD5
d741c1ae58697a7b931f86c44f0add9b

SHA1
41c7a22a3bef3f75b29fcbd86f5c4793bdd43e70

SHA256
2dab75dfae14d9bdec1b1457b8fb5949189f0784bcd5f56ced0db87b803886ab

SHA512
d581235ba3d018df8d70ee100a2ec3228dffb95f936140c4a552530a0bb5955173fc9a8ea275013415b7cc84154bc2b367c10a3e6718dc26f7ed5cc7f59b5062

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\pause_btn.png

Filesize
982B

MD5
14b92cbe22ef5a31a5533d0ab114537e

SHA1
e428f1b0236f7a85faf045237a7cd29a305d936c

SHA256
a2226e2f7dd1ea319e49b1ff1d277a44b35a314ea6d32be1832e71ddebcc18ba

SHA512
b585c5852960d89726d97ddb8e757abe0d36bfb2b5c91a30885e299728d836a048c7a3c5b5e85fbd514e2217d547330d816de497f38204578d333654c8d19f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\progress.png

Filesize
153B

MD5
80223145f64ca1caf3d884dfac4301e8

SHA1
155399ce252ef81f06351bb2adf44c21f1f37037

SHA256
c388b032baee6032d1a76093c51c5eda840d0116da48336401b78a61297e64a7

SHA512
285bf4b5c42971e150eae995479994bf7cccac8b2c7b8f5458ba2cb6b4e2cb4816b5be24c511d41bccca0944cebb931fd31d8bcccba33a503259ef127e90359a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\progress_bar.png

Filesize
331B

MD5
db095e8b1e60adee3f06435486e35d37

SHA1
da83976c1ad827de006a0febefa12a164e4bc03c

SHA256
e18c192348d1ee923d1d3d25740d8972abddb2316708456320df78b7001c1df5

SHA512
985b010c5dfd4c9a7de2cbb95803a36117b647c12e69a9582b46b0394343994f65f38d3d82ffb5e4c4f723f7fcf9b05e9936e33f9a053be36e86605beca51466

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\resume_btn.png

Filesize
985B

MD5
05e22e0225f53b69a44b443540c20324

SHA1
af5eb7ebf4f053b17d19a678ec84c329e632b2df

SHA256
139ff055cec5379c1b58b9b1eb1f205890c5464f58f86eee80f9bc938857705a

SHA512
1c754458da075e504f3463cb72d683b8affa553a39083a2565ebe2e664ebf3400546bc687e0058097d256f86f0cc538439178ad8ee0c91abaa745c1bf977dbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240609296\images\secure_dwnl.png

Filesize
2KB

MD5
cc19d50e4929c2f34469ac0048d61ef7

SHA1
2018d01bbc54da234108a48eecb2a44aec65e1b4

SHA256
9a30ef045db96855ecd50ab0bbc33d7bc0e6ac496df0416163fa9112ca23567b

SHA512
75c2867c5850c556b19cfd06fea8e3f8ec126a95315757ef0349b0f930f83c1b80aef71135f94a7e881c300cf224363829e9dba40aaad617ab94455ad92b3e97

Download Submit
memory/4140-13-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4140-11-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4140-214-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4140-217-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4844-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads