neshta | af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b

Analysis

max time kernel
52s
max time network
38s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe
Size

6.0MB
MD5

3943063d8a8fb69b50caf1acfead34ee
SHA1

25b565a954aa0810ab4472004d30bc4792e1e5f5
SHA256

af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b
SHA512

c690729792cccbda50457d47ba204359fbd4fa6117c47b0169a0aa41c555d2e21ba293458c7ed407c048536b823e0ec959d31128bb4b0c3e6b9208a6e768610f
SSDEEP

98304:c+6ehmwOFcFki+TQlF3Knk7cgEx2fI6y8ZKmQiTVvtH6+25obrcs1028:c+lQwmPiOG3H33I6ypWTVvtaNy228

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports	explorer.exe

Executes dropped EXE 8 IoCs

pid	Process
2460	HID.exe
2096	HID.exe
2756	svchost.com
3004	explorer.exe
2712	svchost.com
2836	HID.exe
2576	explorer.exe
1720	svchost.com

Loads dropped DLL 10 IoCs

pid	Process
2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe
2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe
2460	HID.exe
2460	HID.exe
2756	svchost.com
2712	svchost.com
2712	svchost.com
3004	explorer.exe
2756	svchost.com
2460	HID.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HID.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	HID.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	HID.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	HID.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	HID.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HID.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2460	2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2460	2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2460	2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe	29
PID 2220 wrote to memory of 2460	2220	3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe	29
PID 2460 wrote to memory of 2096	2460	HID.exe	30
PID 2460 wrote to memory of 2096	2460	HID.exe	30
PID 2460 wrote to memory of 2096	2460	HID.exe	30
PID 2460 wrote to memory of 2096	2460	HID.exe	30
PID 2096 wrote to memory of 2756	2096	HID.exe	31
PID 2096 wrote to memory of 2756	2096	HID.exe	31
PID 2096 wrote to memory of 2756	2096	HID.exe	31
PID 2096 wrote to memory of 2756	2096	HID.exe	31
PID 2756 wrote to memory of 3004	2756	svchost.com	32
PID 2756 wrote to memory of 3004	2756	svchost.com	32
PID 2756 wrote to memory of 3004	2756	svchost.com	32
PID 2756 wrote to memory of 3004	2756	svchost.com	32
PID 2096 wrote to memory of 2712	2096	HID.exe	33
PID 2096 wrote to memory of 2712	2096	HID.exe	33
PID 2096 wrote to memory of 2712	2096	HID.exe	33
PID 2096 wrote to memory of 2712	2096	HID.exe	33
PID 2712 wrote to memory of 2836	2712	svchost.com	34
PID 2712 wrote to memory of 2836	2712	svchost.com	34
PID 2712 wrote to memory of 2836	2712	svchost.com	34
PID 2712 wrote to memory of 2836	2712	svchost.com	34
PID 3004 wrote to memory of 2576	3004	explorer.exe	35
PID 3004 wrote to memory of 2576	3004	explorer.exe	35
PID 3004 wrote to memory of 2576	3004	explorer.exe	35
PID 3004 wrote to memory of 2576	3004	explorer.exe	35
PID 2836 wrote to memory of 1720	2836	HID.exe	36
PID 2836 wrote to memory of 1720	2836	HID.exe	36
PID 2836 wrote to memory of 1720	2836	HID.exe	36
PID 2836 wrote to memory of 1720	2836	HID.exe	36

C:\Users\Admin\AppData\Local\Temp\3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3943063d8a8fb69b50caf1acfead34ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\HID.exe
  "C:\Users\Admin\AppData\Local\Temp\HID.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
b850765b8c14581ce7f530af5f2fbd51

SHA1
880e465cdefe80f5ca4000b58a3b10cd5b37cd0c

SHA256
5d581c2884941148c835ca3ebe16c7389b8d2428904d3c506acff241bfab377b

SHA512
5eda1bb561fa4b024e82f471588102bb802435b937ff76f7ef5f5f3b3b8b623c88c32bfeb1b1c2acfeb907b97627ab0310be62be5e33253e826e86f5da0edd42

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
543KB

MD5
2b70e86023bc43c1aac2336f7d1705d5

SHA1
b1971973f43abb348439d7478b3276310a53d81e

SHA256
340b88082d958cc9efd3fcb394e10eb949d85a059a9a4f08b3fa6de75d9adaed

SHA512
79886d34fbfa254971df848e065e12f5b69a81ff005f02f658a75f714187b633a3a126c8e99518af7fe209cbc7371092642ecb6d952431a4c6d1b32c567b71d6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
271KB

MD5
550ee718f47f54ea321e6cc214c68e55

SHA1
5fbeb267efb3ab776b5c55609011a9c72cb6910f

SHA256
c08ef7db13238cfa6f0436c64e5d1debf5a4810a9697b229eff1a8a3da72097c

SHA512
0017bfc578dcad9e38e2f1cd5627d6659c25c20120a9b1f8975f62c78fe0c59cb95579393e4a660d2b02254518f0b6d2f88ee226e1ad0fc58a8f6c7ab5af2746

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
248KB

MD5
ac6d85d7442052248a6641326a13f312

SHA1
6e71f0ce6bbaad3ddd5cd6fcf87ac5ba0bcbf755

SHA256
bf9e8f129d3ab2f07a27ca828eea69561101c7d5f9c3e96bb3684c9e7f0e9541

SHA512
b3ffa56c21afc4e6bddb7564ba4454d16888631b1a8fdca66e63a6ad2a13197bf6431bbac210bec51ba493ccc6348dd1df0004c969b88347eeec49c4d766c5a3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

Filesize
228KB

MD5
86794950556be7019ef3c350ad5dfbaf

SHA1
3d02d65f563c44685f3dab3d8050e1717c16154b

SHA256
3491a95fc0c76ad37149f9021c4a9b74fd0f57347f69014bb204d90a2c19e53d

SHA512
059a5469032be3be4ed490cfd512a10b1fef61be0a982397597c0ac4b1700f0d75d157f36a8394f1998f0a2a01237f6572ce08038a506942258fdb201741be53

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
150KB

MD5
085ce676d38931ac3635557bbf22cc8d

SHA1
a18489ca8524b00ead782aae4f754bf72280d4ba

SHA256
1b8a34080cdfd2fd11c9e71de6b70a28bbeadecc089c97f9ff384d4800b8dcf8

SHA512
d9cd67720314b90b18b7233a06c9be26280e79275f83e5248ec15dcecf03b989f259e583e7bd7d597c41f8724b4def84acaf9f4c9544aa5eb27c8d346ad62c75

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
144KB

MD5
86f349439a2e7593045384186e27c24d

SHA1
0d046a4afd2541ff270eb10adb1aee6c63777051

SHA256
f4d83704e9cc4a9dc2a35d4b0ef6ce697ec0406722caa64aa5201758bae43e57

SHA512
26fb713652f2f8ad1acd69023192329be5986e2d20a7e826edc9a4275923002fcc09fc81a4b053486b5d78c5619149577cb56bd5fb12bbdb548bdadb71491086

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
305a058b877a365b75083d6cea874702

SHA1
20f9dc6d97a1abdf4b80e78befa3b64891235e17

SHA256
bffa5127f52bb966b109a07dfeb1bb40a76d606e96837c80ac5ff276447fe181

SHA512
23b1540d4dc1c062579ee9a3231140ae250f2df7b28c376f34effd255ae1115e875a5fcdafc8d15b5b39ff977ebfb7cd03dbf6ce91a83b94ea235eadce8e12b4

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
0868122e03b26dd2a2d13bb420f3a2b8

SHA1
cbd9271a4dd303a0d11ef9387978d669c726b550

SHA256
56ecde530a58ca10b5ef85a6b5c4407e5b198bc46724485c06b54f27349cad77

SHA512
9befccd08405e54456dcdf8180da8ceddeb65c6eb2d3a250405ad983213db4ae263473c739d619ff71914460e9dc051e7f9cf535b7e30ef957ff4842fdc498a4

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
fc1fae6a02f5ef05113aec947eda5996

SHA1
ed831802511f89d436c02f0fd3deecf37f770d3b

SHA256
cc92fdf41d3600a028d91ba0c2d28d3c6cd77e3ed58d257164d5d3d907908356

SHA512
0e6b3707c331cd2d1740513730cc6e0da3f750d5b9d08b398ef4cdd2ace9ee8f076f0706cdfe621de93bdf3d4e9ee015c6fbd68484da13affbbc05576eaa90da

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
b44ca7f9964f10694bb00782b30e20bd

SHA1
cb39e0e8486faa93ef0adb2757dfed3c276d1277

SHA256
324963cc436b1d501f2cada84e33ba8fa5cb55cca5565a2b1917db11cbbafe86

SHA512
7a99884999ea7eeca3c9d43a68eacf455171dfabaa3b71279b7e69123b48e62080204c8941da18f60bea48c712d81bc515b00c36fadc1fbe7e8c0cc5079bd571

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
048da0aced67fe14cbc1801a057b8cef

SHA1
9ddac6ad86b54d0b7e1d22fbc1ff75ccfa9c17ea

SHA256
2f37cac4a1dbf7944d43f1154ce293311c3f9d44317276a06b49cd41123d9d96

SHA512
1d2b23dc25ea03002a3ccbcdf08a7ebf47ee2158bf9211b71830a92dfa4bef584529c1804148ebe2cb662e579cc97e9f702a6a42071f2600a129c642a6b92c16

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
80c124900fe2a6955fa8ef8e317da894

SHA1
4a6224f6b9344261cd8d373b572dc5a89f9e1ae7

SHA256
244efc6b493b0e65285259a2c1755d5fc84e3622b2487bd8d89dbc077654fdd8

SHA512
5a1a34a6e6179ab3a690e8186abf5b7e2407126632758e127b55f5af6af5eb7657629472bf4898b1883e7d725f03e7e8e45337687ebed19f6204b74593d8b047

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
a4520658cdbf168d2c320e37bb9dfdba

SHA1
519f1e681069148ffd29d1043d6f815b37797572

SHA256
fbd2d02523b9729e8cf84435700ab889b0648e9c367a889b765479b35e5409bc

SHA512
b9fb491858ee8cf42cabc7ceefb8c00a543cebbf59e1e7d0c659de2488886e354183f4d00b87c023bf59b29a4904c76d42c3507254aed6505ad368c4ec73100e

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
f8090e8496b322fd6dd512c484f10b3c

SHA1
4ca215ba4ffe3dc657081da15e66f1494378e1bc

SHA256
9625759a71f257480d6c5956adaf86eb178ecbe62521ed91d2ad2a45813d1e00

SHA512
9c2eae3b34504dc2e4fafc3e08cce8ed240de871a6d47d57ac84da2e0fb7a4d445a9f2bbb4f2844eb4112a8e9b4ac9c226daeadfc14fe568bafe2d7659560a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe

Filesize
6.0MB

MD5
1eaa1690c3f599711575376a38854557

SHA1
da070274cdf89fcd153e6079f868b80bc408fbfe

SHA256
b37cb424c61d5f5cef1e829a283a60b14192944bbf94150461b2808ec734144b

SHA512
344e9cfb4cffc15e87f154bc6ff99eb4216ff8eaf46f2601b23877008c0d14ee0a08fe911ad94e0c143eb010ae7868caa9ef9fde7d06f2eb954b8a8d38ea82c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
21KB

MD5
7536c5358d609bdb8aa110d054365e90

SHA1
9d02d7962a413d3dbf4acc1b8854b926953b6780

SHA256
ab48c7c77a5c56d5773061ee6c18eebf57c359a60241516ce7757fb8b7e11b16

SHA512
bf987e34f3daa8e3033b257c5454773452d871ce3c08559f2dea6a83fe0dde360bc3ed4c09589495893f80bb8d84f704243b114339fd5fe58d99ef578fa4c40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
21ca203b38f5cf05bc0c72c4b17ec300

SHA1
82e79443fb82b0dda3a7643fe990c7ff936074a0

SHA256
c0c9352be5284f35edf43ddf513b59930819a9a7a441744ae3c150ee193632b4

SHA512
64d96254b5feebc89629fb633d205022e8d54d490328c5eadb3953ce347cbce6fdc7f18fe778d8bc0f1dd6ac93ac0f2efef45bff66e57ad090d2b0957f4b1bab

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
7389b3ba57d20bc32e2e154c5fd0bf3f

SHA1
f6d6c67bd8ced8c55996b7e5622206aea85dd0ff

SHA256
e563f572707537629560a98e383345a864512907aaa27b3c1c7802b0769a7b16

SHA512
aea75b437839187d9759c2bdfd20603a5328af4e22c86f2a5decfe1434e88760e52ab1a8342b538055c8a80a6e354ad4f86a52286c59ee39f4a890136d7b66ae

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
af4129789de3a39c3d39801d6a5bb6ca

SHA1
d943bd8cbbdd4750fd6c70c2a13697e04bf6eead

SHA256
a4d84fb60c9ab0ecc9e725c466567df6373ae6f6cda62244e741f5261daaf0d1

SHA512
297c04d880461258c736ba8b3646b456a0fa429d6f36498013256886f3156032e391a25b5fde5579990c72916c3842640ba076ae0b6c48f6f5871558786f8db2

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
bb437b70bff9be8f5fba089204a9d70f

SHA1
7650b891d5472481d32709dee58840feeb25b69b

SHA256
b67de524164843e652193ac9529a0239a269dec0bf6ed714b2d527238562f82a

SHA512
d879b4e3fd48409a11a7698399ed0ee55c22c1d61dc7ffae8dc6130bbe72dd5b498162cc268e45e2e77a6bb461295c297df34a76a7da7b54cb6d186779a68410

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\HID.exe

Filesize
6.0MB

MD5
9d279fbbcbcb06566cec703e6cbbbf68

SHA1
1b482e2bf79337c2b37732667eeda8b49f8514ee

SHA256
4cb0b308f8a34ffd073503c9728454c5c271118d6f6a401a2e4fbe76fdc72500

SHA512
dde2fa5a339f2b295ab02c9019f4609f061a2428c9ee34f85c8e453ada7d24143198e0804786c26df06c93bdef03bd8829125f4c0db3ebf9bd2f2e3cab5a4e47

Download Submit
memory/1720-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-186-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-194-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-181-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2576-63-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2712-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-187-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-36-0x0000000000220000-0x0000000000274000-memory.dmp

Filesize
336KB

Download
memory/2836-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-54-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/3004-38-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3004-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads