neshta | d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274b

Analysis

max time kernel
48s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
Size

3.3MB
MD5

07f2d35edf13e4bf72989f1df80ca7c0
SHA1

daefdc80c94839b0b424059190de5fbf1cef4175
SHA256

d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274b
SHA512

f42fcad31980186fd0a4dedadb1418b5b1af3d38a8d52c4a25ffc97fdcc9aa0050ac895dabeb0aeaf087d53c541017b182ade3d0256e9c456f84c47952f968f2
SSDEEP

98304:Mk6/7hmLAqkCkw5d1QrrJ9XfdlAJn09FI4In5ZL3Ky3:N6t0AMd09Xl+y9Fxw1KU

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 15 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-10.dat	family_neshta
behavioral1/files/0x0007000000016cab-73.dat	family_neshta
behavioral1/files/0x0005000000010351-265.dat	family_neshta
behavioral1/files/0x0002000000010484-264.dat	family_neshta
behavioral1/files/0x0001000000010312-266.dat	family_neshta
behavioral1/memory/2064-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2196-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2064-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2196-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2064-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2196-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2064-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2196-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2196-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2064-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 3 IoCs

pid	Process
2348	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
2196	svchost.com
2968	setup.exe

Loads dropped DLL 22 IoCs

pid	Process
2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
2196	svchost.com
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2968	setup.exe
2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2132	regsvr32.exe
2196	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UnInstall_CrossCert.exe	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\GHCard.dll	setup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\NPKI\KISA\c8d08ec749ae1f2042b24b7f13c977580ca1cdc1_01.der	setup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\OCSP.conf	setup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\KSignJCard.dll	setup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\libxml2.dll	setup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\CrossCertCms.dll	setup.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\CrossCertCrypto.dll	setup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\JACard.dll	setup.exe
File created	C:\Program Files\NPKI\CrossCert\B674A99B923CC751B122A44FBCB73CFE2233D776_4100.der	setup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File created	C:\Program Files\CrossCert\CrossCertWeb v2.0\nsldap32v11.dll	setup.exe
File created	C:\Program Files\NPKI\RootCA\c8d08ec749ae1f2042b24b7f13c977580ca1cdc1_01.der	setup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{001666DB-7106-4481-87B8-8C2E5C835AD2}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\LaunchPermission = 01000480440000005400000000000000140000000200300002000000000014001f000000010100000000000512000000000014000b0000000101000000000005040000000102000000000005200000002002000001020000000000052000000020020000	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\REG_DWORD_ROTFlags\ = "AxCrossCert"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\ = "AxCrossCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\DllSurrogate	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{001666DB-7106-4481-87B8-8C2E5C835AD2}\1.0\HELPDIR\ = "C:\\Program Files\\CrossCert\\CrossCertWeb v2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\ = "AxCrossCert Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\TypeLib\ = "{001666DB-7106-4481-87B8-8C2E5C835AD2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert.1\CLSID\ = "{A099920B-630C-426B-91EC-737685CEEE17}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{001666DB-7106-4481-87B8-8C2E5C835AD2}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\REG_DWORD_ROTFlags	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AxCrossCert.DLL\AppID = "{800509E4-9888-4012-AF77-106542100C1D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\ = "AxCrossCert"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A099920B-630C-426B-91EC-737685CEEE17}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert\ = "AxCrossCert Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A099920B-630C-426B-91EC-737685CEEE17}\REG_DWORD_ROTFlags	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A099920B-630C-426B-91EC-737685CEEE17}\REG_DWORD_ROTFlags\ROTREGFLAGS_ALLOWANYCLIENT = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\MiscStatus	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\Elevation\Enabled = "1"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\REG_DWORD_ROTFlags\AccessPermission = 01000480440000005400000000000000140000000200300002000000000014000700000001010000000000051200000000001400070000000101000000000005040000000102000000000005200000002002000001020000000000052000000020020000	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\REG_DWORD_ROTFlags\DllSurrogate	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\ProgID\ = "AxCrossCert.AxCrossCert.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\InprocServer32\ = "C:\\Program Files\\CrossCert\\CrossCertWeb v2.0\\AxCrossCert.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\DllSurrogate	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\ = "_IAxKCASEEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\ = "IAxCrossCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\AppID = "{800509E4-9888-4012-AF77-106542100C1D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{001666DB-7106-4481-87B8-8C2E5C835AD2}\1.0\ = "AxCrossCert 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\Elevation	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{001666DB-7106-4481-87B8-8C2E5C835AD2}\1.0\0\win32\ = "C:\\Program Files\\CrossCert\\CrossCertWeb v2.0\\AxCrossCert.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert.1\ = "AxCrossCert Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\ToolboxBitmap32\ = "C:\\Program Files\\CrossCert\\CrossCertWeb v2.0\\AxCrossCert.dll, 101"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A099920B-630C-426B-91EC-737685CEEE17}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{839E9F54-11EB-4A67-8F4B-48BBB9709BFD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert\CLSID\ = "{A099920B-630C-426B-91EC-737685CEEE17}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AxCrossCert.AxCrossCert\CurVer\ = "AxCrossCert.AxCrossCert.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\TypeLib\ = "{001666DB-7106-4481-87B8-8C2E5C835AD2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC3EB08A-C258-46A2-8B64-489559005038}\TypeLib\ = "{001666DB-7106-4481-87B8-8C2E5C835AD2}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{800509E4-9888-4012-AF77-106542100C1D}\AccessPermission = 01000480440000005400000000000000140000000200300002000000000014000700000001010000000000051200000000001400030000000101000000000005040000000102000000000005200000002002000001020000000000052000000020020000	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2968	setup.exe
2968	setup.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2348	2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	30
PID 2064 wrote to memory of 2348	2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	30
PID 2064 wrote to memory of 2348	2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	30
PID 2064 wrote to memory of 2348	2064	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	30
PID 2348 wrote to memory of 2196	2348	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	31
PID 2348 wrote to memory of 2196	2348	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	31
PID 2348 wrote to memory of 2196	2348	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	31
PID 2348 wrote to memory of 2196	2348	d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe	31
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2196 wrote to memory of 2968	2196	svchost.com	32
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 2132	2968	setup.exe	33
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34
PID 2968 wrote to memory of 1756	2968	setup.exe	34

C:\Users\Admin\AppData\Local\Temp\d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
"C:\Users\Admin\AppData\Local\Temp\d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\3582-490\d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Program Files\CrossCert\CrossCertWeb v2.0\AxCrossCert.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import .\axcrosscert.reg
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\Users\Admin\AppData\LocalLow\NPKI\KISA\bfb627d8035a76654c6101415631e58b7b3ad9cc_04.der

Filesize
887B

MD5
689b17c654e0e0e099551642f75a86d8

SHA1
027268293e5f5d17aaa4b3c3e6361e1f92575eaa

SHA256
6fdb3f76c8b801a75338d8a50a7c02879f6198b57e594d318d3832900fedcd79

SHA512
f141729ae13b8d8cab109695be307c14d519a594da07a12f0f9f2157d171dbe0c8cdff26a22d9ab36d392543f3694bd4ce4b7878722dd0dec6b99b299ce2e8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AxCrossCert.dll

Filesize
1.6MB

MD5
cc072e6c86a86e805fdac1390c457ef2

SHA1
7143c4a92e997074228835fe1f55491e9b699d1c

SHA256
5887ab89c67e28ca1f6527e6b92e5b42004214b949364cbcd01576a216ec065a

SHA512
eb1be2d98b3330ffaf544a517069fc8d7c66651748d370c9063ed2567ab076954da810ce4a5ac0e2ce08a4164fd458a5bf9ee3299d57a872877138ad7bb1de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AxCrossCert.ini

Filesize
10KB

MD5
ed0319c758d862863a7e156e6ae6d443

SHA1
6db94aa2706ac391b22959932d341e7aa46ec927

SHA256
83a23fb28bcc00583d19d3d0f904010f5b933543c7b20f4bedb058f9a6867455

SHA512
7597bda0c64d41ca3540cea7967f8b0a93eb7df3cffd8453b3a822f99f2c23768c1f9c45a0fa5db2de63c369d74798136eee1ae70e9f37704fba2107d24a99a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\B674A99B923CC751B122A44FBCB73CFE2233D776_4100.der

Filesize
1KB

MD5
ec746254751b75cc482da57c8a3ead02

SHA1
1c019ff4294187cae3986e6d3474b7e39e1ea4de

SHA256
e54153845de915701251e84af58a6f2b88fd3456a0a4655861f33c334b936da5

SHA512
4d1148f0518b1fcdd126a4ce5a9407bfaaf107a64f55f34c099038b7314e1cb5906213e1a5a5ee713fa4d78856a2a15b92ce7e825b399f638cbfac610be99443

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCAPI.dll

Filesize
1.4MB

MD5
ef65402b5d34c04da4cc75abf93b28d6

SHA1
e555c5224dd6a907bb7642a501021f74c68782bf

SHA256
1e8dd3983523a1dd90cb437b4b44ac8a5bcb3aef92c4dc86cd6d68c7f52b56a1

SHA512
7bfcd4ff81e4815dd2ef38f61ea850b1da017cffa9d7af9174fc95362368ee10233f3eedc9b919b594a677aef4ae3a2611ac8a84834e552e40968e1a1e975125

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCmagerapi.dll

Filesize
64KB

MD5
bffb05a33beede37b13da036a65dbd12

SHA1
2083d21614d97c102990e7197bd0edf99183a6e3

SHA256
7f9cf8a5d87e9c6e5313cbfdaf2494dc52836dd852c132683e75c7817a9d701b

SHA512
c04e318b7d5c5c60c06ef2849c12784268086e26749f81fc9f89db5dd9a53b7b310bb1aa479b6a9ee7c3325e334bc6eeaff39777f03882eb842cb7534097d776

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CrossCertCert.dll

Filesize
453KB

MD5
8f62e80b126ce6a4199c2f8b675ab721

SHA1
f776d601b79c9dd9525d3c48d54978df97a994b0

SHA256
aa0dd94b89a0bf0d34d7171de86e594d0c2cf4ec68e32542f2f220f6ecd2a088

SHA512
56bd87ba75618e31eabb1f42467d63daf256e625ced1a649d235707e2ec44b4178be71de537790b68faca0f9082dd26507f33f6333d020f8567789eea782f7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CrossCertCommon.dll

Filesize
528KB

MD5
b741c286e9036a569ba6e2a97cde2f85

SHA1
c6ca6595494a1a51cff366dcfb33d41ba7436c67

SHA256
a8676f8b64aecd10b86d96efa35fcce2d3b199384267a3f5ae833e039dfd2fd7

SHA512
4179631b563ec0dae9fb144fc6906b7ddd46a5396e0a3b7ae1b118495801840eed234bb00b6a2d8aca821fa482436c1fa128219ea77f33e866def6957e2794ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CrossCertCrypto.dll

Filesize
492KB

MD5
3375064a16cb8eaa50ec47947cba2c6c

SHA1
362a002b3ad889dd749f6db23e062f9786e2ed0f

SHA256
917848e35391910dd1f85bc1b8a13b368148a9316075ddf8c2d57790b993c539

SHA512
389a37e31974417fafee29644a3a2d50b28c47976fe5e6c046bbc2721ff37f311c5f3e7fb0cbc303bf4f26da9a6ff4ab7970572329706d5fe283b24e8953960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GHCard.dll

Filesize
65KB

MD5
828fc78d9ef23f6fca276895059dadbb

SHA1
19254b8795b9cb05542e06b4659a45652e390df0

SHA256
b7197f44a42680868a5fb9d910ea44370b8d766ebf30a402a0b458d83efdcb8c

SHA512
a013763dbeeeff8f6dc1972cac8f566c6c0efc9b0a69178ec2333574f62e6a3e7c154e0ad2641018b24ab15414f56c1ee554ed01675959bc0f326fcf1fddf38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JACard.dll

Filesize
117KB

MD5
1a2092bff5700b8a431478d184361cd3

SHA1
b892909a672b38bb35443c63a537632d3be0877a

SHA256
f79cf545a4bbced718a10df1b0b52105cf256201ba3e787edbd852327d9a68bc

SHA512
7b1fcb19571f66d22e09de3a94fef513bb1ed58c5fe8d62275352ddd8f43c5218cb69964b97a7f754b7d9a020b70416f283a66701ce45fd7ced48a34f50d1f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JICard.dll

Filesize
49KB

MD5
3b1e0d07dab2a97cee55813472e0eee2

SHA1
f2cd22d9ef63836ae114d674f817a14da0e25ba4

SHA256
aecbec4e5f86de2c4197fd0caeb8f660b8208359d448dda664c7e57b701912df

SHA512
a57aaf0637c9b225ababadfe192131cb7d2c5b25177c3861d70ef9b7628d401ab858af1b8ad06ad8a9ee4d9843d58604782f3b9c74d27949b6489c1a9d75334d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KSignJCard.dll

Filesize
52KB

MD5
43b79141b9297bc620f378606dd790e4

SHA1
35bdec519c24db2b4d411dafb32040659a266a75

SHA256
600b7a45280b7ae95e7f15f62a5a8467c2c84e44c7158be8dcc6c0a0ea4852c3

SHA512
704481e41981e3d7eba1ee3b2419f5557a7c34d48a68a2e8e83d8ebddc99803df1657639944f12b76f01a0f72b1302e1a3fbe905e7f113d683c73979b618af16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KSignMKey.dll

Filesize
220KB

MD5
77d5ce5b750e14e78a1ab9d0d6589f3d

SHA1
63372d0c1511d76f9e88716917af26a134d543ab

SHA256
ef1c5bd342bc90668a21eb78e3fa92c0fe8c2acf5e534be0ab0e577c86e20072

SHA512
676e6a2325fa96adf1ea14bf4b12e159ceec9daccc57c06c98826cd63f7f8f820020b7c7d4fc45a1caaf96c379c169f0c85c8ce0636d22b7f36a8b06a80821ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KSignSKey.dll

Filesize
57KB

MD5
adaeb0432f6c103ee83becc64626284a

SHA1
aa15e69280d0b04993c4af3db64d32e0969a3c36

SHA256
15dd1ab53d1163c439b9c43a5bf604fcea93d7bf5e10e97e45fe226ace24b79b

SHA512
7bbdbe399b5efb8571ee63aad277a8bdada50df114d9ad8c1232c4600530c12672062738cafd0ba15f32c2f9f5c86ba2ed2ae45fced72b65752761f58c0d4e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Key.dll

Filesize
48KB

MD5
f26675289ff8fb7681a9fd681bb3e8d8

SHA1
234dc13dea0145502c3cbb8ad36daefecc2aa880

SHA256
682574b2d350532bdafcda51313ad36cfdb3f3016e408f8d8391281b4eae97ef

SHA512
3c1501a5ceeaf2a9b106d68bd1fae75b3541faeb2f9e381f380b52b915267cae307a10cb5248c3cd30b6fc2484f3a9ca1d781e028fdda52e95f46676913235ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NSLDAP32V11.dll

Filesize
77KB

MD5
216ecd395d0e054054457f6a1867397a

SHA1
d3b7f5dfce597dafe9c4e88929fbe0d586ea53f9

SHA256
21ee71ab900ffeb71904b338d4e8b9b2d7eef820adc7fcc0d2ad3f4801d0d4d4

SHA512
a0d0b627b3a3583a26ff2b903ac28c6425ed9d65a08e4267c70647c6a35a38a52933d86125115435b89071c20e2d9183f065f26a1be3188149c98f839847072b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OCSP.conf

Filesize
708B

MD5
695c9518c6dc850315e278f8626685a1

SHA1
eca655cb13137018486be82657ea306217249b31

SHA256
4f48ab3a08d533f3e9577b8e9ffa49da03b5be0a701f48cf700c7993c25d1ce1

SHA512
91ad7ceb0bc62d39ed6c1cfd10c06dc42d897ff04e54256c1f7d762cf88645dde30e8aa6c4a3a38a5d4e4a98a0d40ad9af69361a02372fa90c69200040dedb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UnInstall_CrossCert.exe

Filesize
301KB

MD5
839882cabeaf88bc26512e8491918d17

SHA1
e80c530a167e001a30baaf91252a916d14f69b6a

SHA256
abb6362d2e399839a0df602750f73eeb9c546a568c70d5802a6f4fa73507f11b

SHA512
b662f4a79acd3926445120ec323ebf682372209f16f140f420cfc7159eaa6371c5aeae20ba1c11d690a847231c24e7b96ebc66ba90cd4ba722ae35019cbfee64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinSCard.dll

Filesize
84KB

MD5
95e7d2c9e06d9fb37b7c952cb2a1b76e

SHA1
dc604a8a9cf7689996257214f1366720b4d8c1fe

SHA256
5f9d087fb26262884febdefd95209c8f7b6c12556ca07caba8d1dd801a04420c

SHA512
e68e687a7b8f3eecd8cc2db0e8ab7fa76b95c946050df659f71a17f10f5bb4582da3a983b54b8cbaa1effff3d187fa475445e1fe1b8d02c344d843efb3d5f431

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\axcrosscert.reg

Filesize
1KB

MD5
4588468c9c47a72fad9101dc31460136

SHA1
c5f7de38d5428cf94a7fcc388349caf882340978

SHA256
9eb4af3118d2ea9c28533aa24abf5e7eda97500042c851b7582df30811464a4c

SHA512
6508516822a045d762f334b5f5e31036eba14bc0656fabef56ef8674b80c2ed7f01f7dbcbd64600a2bbfb98af075a73dfaba6d3e2f4aad101b2c89fee338c7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c8d08ec749ae1f2042b24b7f13c977580ca1cdc1_01.der

Filesize
889B

MD5
322b7c6659e177c6b2254060ca188d27

SHA1
977e396f0de154423a471700918ea8e594405bf1

SHA256
a002ff556c601863b08b9aa33a8e6666e97e72bbe552f66eb9f2395c68c7bc98

SHA512
2623071fafd689c6fe43c2ddff33c617337330d3f3ed05c33d9a8c9d5c53768926b317900a4a2c22c2ee047de56dc2596182e786d468674f185542dd251a58ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libxml2.dll

Filesize
920KB

MD5
ea7f31f79fd72ab0eccd67a657c8e620

SHA1
b90e8bb2c9fe1dd7c174836a6baab687aff0e813

SHA256
4ed2e7fa5c7910eacc1b6af2cd7a7a50f1b0073ce16799bcca7bdf3c089c9625

SHA512
b9c3e04e6132ab21224808244c944f7d6903b7c98a41845e8ec50527215f75922b4eb9bbae3bdbb71ceac32ee6b2d96e7f5d3bf2cfe1ea2bec15f939788dfc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
637KB

MD5
16fa056ac85c3d49c52f825772c93969

SHA1
4453d7c44387a2c1a5fd1cc984859fb66a3ec06c

SHA256
9659ccd4c0ac7442f59f0148341ac34acb099250d5f2d16b60b86d12c7e86d12

SHA512
362bed7f7ce0985700bfe95828dde226ced6287690f957d68cbe9cdf5e520e4f954fca5a18d7f629f8cf20d8466c3c7a64b846a03aaa00ea5e6fdc664a11258a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
1830351d0fc32675c3007c41c98fbc5e

SHA1
ea2a1a032ee6379e13b4e923fd35b803802c7637

SHA256
ca23f7657c38a0ff2248b411789bb47bbf56a734a6c4d6d47e60faa7a7209170

SHA512
707fbbd14f4a72ce16d6ba187a70eb89486491ad17af8b4960e8e40cd522c2f5d7fa3e393461a5d28cbb7b4ad7d557d6b708082fde9aa9ad98aee6e21956c20e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\d77b8eb92e4ba26b63b296e3e26affaf09be3464e51a63a830bf88eeac15274bN.exe

Filesize
3.3MB

MD5
77ed0d5dc439753e6063ceaf49ee75e1

SHA1
0cd633054cf53daf9f48cf26ac6e8e5cfc0325f3

SHA256
bb4692713335b1ccbe6cf81ea9692b35cb99e592b3b87f4a34afaf5dfc5410f7

SHA512
f48193a4694a56764906f37d070d7d2f0f4d0b4b5eef63e79560dc6b0d70b4406760fdb8a1fe1089a8dfc8720e510062a1da00901d3ffe83692c7ed1d54845aa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\CrossCertCms.dll

Filesize
260KB

MD5
465be95aef0b95a69fb5359cc401fc98

SHA1
a0633e6383153969a85b56fdbc346729b5b5c262

SHA256
410d0d4917060b135518b87dcbd6f8ba6f382b0e831e6a9d7681821dcad1cd4d

SHA512
72a1e49ee9c67629ae9734c6d3196c8049728988492a2d2a515d66c2d68434f26285197fef4e5b62482f7f48a7304ca77f4843b050b94996d8d85649e04ccf8d

Download Submit
memory/2064-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-254-0x0000000002100000-0x00000000021E7000-memory.dmp

Filesize
924KB

Download
memory/2132-234-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2132-250-0x0000000001F90000-0x00000000020F5000-memory.dmp

Filesize
1.4MB

Download
memory/2132-244-0x00000000001A0000-0x00000000001E3000-memory.dmp

Filesize
268KB

Download
memory/2132-240-0x0000000000A40000-0x0000000000AC6000-memory.dmp

Filesize
536KB

Download
memory/2132-247-0x0000000000AD0000-0x0000000000AE7000-memory.dmp

Filesize
92KB

Download
memory/2196-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-291-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-97-0x00000000006E0000-0x0000000000845000-memory.dmp

Filesize
1.4MB

Download
memory/2968-94-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/2968-91-0x0000000000380000-0x00000000003C3000-memory.dmp

Filesize
268KB

Download
memory/2968-87-0x00000000004A0000-0x0000000000526000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads