neshta | beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224e

Analysis

max time kernel
111s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
Size

1.2MB
MD5

b2f55eca44253a76de0172fd3e4f6cb0
SHA1

40a31939bd75bbe7064d04e77a62aae082f881cc
SHA256

beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224e
SHA512

fbcdefbe4f2c1a75814e1d06e6afb09488bb1467765122379df5ca053ec3e0f6e44023931547faaa2927a458dffdc2ab06f1c04e5375ad65b24e6508c3ef34d2
SSDEEP

24576:ioe9YJLnbCQM0rbOwG8ihLXciDZZls8H9xCcjUtFTgbP+9:x3b5FrbOTLXci9Zj9fUtFTD

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020228-138.dat	family_neshta
behavioral2/memory/216-265-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/216-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/216-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/216-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Executes dropped EXE 2 IoCs

pid	Process
4256	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
4680	SupportAssistInstaller.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SupportAssistInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343119000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistInstaller.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4256	216	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	85
PID 216 wrote to memory of 4256	216	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	85
PID 216 wrote to memory of 4256	216	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	85
PID 4256 wrote to memory of 4680	4256	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	88
PID 4256 wrote to memory of 4680	4256	beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe	88

C:\Users\Admin\AppData\Local\Temp\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
"C:\Users\Admin\AppData\Local\Temp\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\SupportAssistInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\SupportAssistInstaller.exe" "esupport"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\beb27eccbd6e9b8db6533b6ba944a137e5cde74880d90b34e932552c45cb224eN.exe

Filesize
1.2MB

MD5
84b087e870e3d3c6a2527df7cb09e17c

SHA1
cd960da3740cda1799cb072e1b90079415e46799

SHA256
acde4f1c50f0ff2d01c333dda68d894cc95d3e7526633b0f49456f587d0b1d17

SHA512
45bb754b4c788b7590c1e9086f0bc7adedb33f5daf411a88830f34688d47c28459ea174e81b8564016333aaff8214a90af6d5506896638a021031d9491e0e446

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Dell.SupportAssist.Client.FrameworkLogger.dll

Filesize
18KB

MD5
8fb21349b0fb5e5d7de8b921e25e10d0

SHA1
bee87220da3d9513de14e7d303120ccc09de8505

SHA256
b9fe3a919470f29464d4537e8a569bc9561b956a7b82976b23ffb9b4e22db13a

SHA512
58a1728350c10ea68d9849a2746ee6c2ec2e9beb959f090aa1ff222a24cb8c5cb7d1ad80aaede11b695c7fd866606e83d3fe2dfa50a13b06f5c05384f80a941b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Microsoft.Practices.Unity.dll

Filesize
143KB

MD5
27f24aed31d72c0a3214e54e4137fcf6

SHA1
93dab8c3392ab7eeb0062fc4224d57dde75b6794

SHA256
8355fd8ff475f1d032bc6667f185e25377e35644b5ffd2fe12c8e83705a03957

SHA512
16215965e7b317de67beae9c94a7187ff32b47e7a7ff1e38c2947769d53961defc9f8741d7e7e37ce74264c60e5c35df71065e36069776ffb3c71d3a064786c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Newtonsoft.Json.dll

Filesize
688KB

MD5
0428dddbd43486d805f6f72d6539dafb

SHA1
43502e57b6c1542d452562a013a4a0952937e1ad

SHA256
ef80e07b7819d8a82bbb8efc4109618b51c7df5e3463cf04e3b332cfc3c01efc

SHA512
9b67272ae8739b25f0ec5d0572a834c5edab7a9ecc27b47de9a5998849a8c4712c61a841ec94e49dfe4cf98f73690ea6e9020e1c247af105d746c9147f79f879

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\SA4_Installer_BG_900x600.jpg

Filesize
113KB

MD5
305fd53cde696bc7603f21955dbe75f4

SHA1
f1400ac28e32270e4d981e4c4cf37ec47506f6b3

SHA256
8bd98eaa8f939d1c8e69d219982573bf8fdb9c62c25c71b7cf385ff41fc5b276

SHA512
b0032a438d29153e7e5f95409c0df36dd9a884961e7b41de42303ee5f577d009129f03dfc2bd1debf5ceffd7eb2499c45381faabc1109fbc442001cd8a1d0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\en-US\Installer.json

Filesize
6KB

MD5
607d5d437d88863e793eb4f659a37981

SHA1
c7b2f6ab7c52a2c0e4a8c776f27af21e8a4f539a

SHA256
3d509e191b06487e56638d1dfc4ea5f540a833c695219ccd241e70fa0751baee

SHA512
d18c5f4934d9fc07f646ea25f02019224c600b63ea5170d234fd78a9e8805e37ba82a543111a3fa7d6c266c6669063620af93437757040a02cbf42f71ad87647

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\roboto-light.ttf

Filesize
123KB

MD5
46e48ce0628835f68a7369d0254e4283

SHA1
e321c183e2b75ee19813892b7bac8d7c411cb88a

SHA256
ee4352049603e5960550f55444ad720d8d4ce322c0dcba1afc77de78c430d0d5

SHA512
8ad21d9c1c0496de9d47a5f353e437de399e24e9f780ec9beef1963cb9ca4c657748eee2493d91d57f1be1393411303db7f21e4543696c9843ff0e570d2882d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\roboto-medium.ttf

Filesize
124KB

MD5
894a2ede85a483bf9bedefd4db45cdb9

SHA1
6060ca726b9760b76f7c347dce9d2fa1fe42ec92

SHA256
6e2ec5c5f89e4ce302bb93b46cb7cc336236501de17348e284878914c5e0e723

SHA512
cecce690b1066f3424ba3684cd4f7993746551d3642fda4f044090fe285ec2a73bfecde27f0df79824b99c42aa6b033a890b5174215748716d8ac4741a5d6a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\roboto-regular.ttf

Filesize
123KB

MD5
df7b648ce5356ea1ebce435b3459fd60

SHA1
824b5480c977a8166e177e5357d13164ccc45f47

SHA256
bde8a188e37aa936b167aecc5e5a3da40262f6e51fd54c584f2cf2b6b99d96ca

SHA512
d78cb378c0b5939fcba01c272616010e28c7878ef63944fc9bf48f2f0abec6f9c72c4f56ed9785194626fa6979ae3f4d7b43e924ef84686e6ff2b8058e5580a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\roboto-thin.ttf

Filesize
124KB

MD5
94998475f6aea65f558494802416c1cf

SHA1
173ed64528b4d010a76d8d38deb1d7e7eed58eda

SHA256
db1d464343bf795307bc90da83d65b93c841fb20f38662f92f1e5e2c5a1d2ec5

SHA512
51cba34e46887078ee3101bfe6f652451d67a73c2a6c0b05bf353e1cc358b36ba99f09a0ffdbb59bea491590e935ba2b0a65798e9b67e6a3a3b8491bc0463ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Resource\spinner_blue.png

Filesize
1KB

MD5
0d264f346bcc8a340a413d5234285786

SHA1
95b8c10c89e07b0a41e189f9016b48dd60fd6f17

SHA256
41d3b9695455de5c7e58894ae854ce34e72b1d808a3c02ebb2fefe97e9533281

SHA512
16770c22b8205c00e75a4bd284580389d9cfb7486669a68e7a76c5eef3413b00d66685104113aac9e960c83db44d57f43bc292f141a22d9d6528acdf53e1ada8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\Styles\DellStyles.xaml

Filesize
2KB

MD5
e0e508eaa2aff8fc6790d34a404c58bd

SHA1
e21ffc5aafd34f51cb7e6328a8eb7591f381a968

SHA256
9f96fb69b50c735eb4d1c0dff55a804f69ea7212ba9dc0332ac10c42a0b7b2db

SHA512
ab9e91f6aef37e0f84e31d095d607d5bac18109fae8807966a7be9834c00de44e5896d47ae6cb687a4fa616160a2da7af386b492d5aa9bf60a61e64c5677168b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\SupportAssistInstaller.exe

Filesize
943KB

MD5
797402be3e790bb35dea470ef063b66f

SHA1
676e9b40372de05b176e6306e5929218ad6800bf

SHA256
68b204dde251c0331a1f1554d9e7b9c50390deeb0afd0ae37ec23e8cd658a2d3

SHA512
cd51f5150a40c8ba61d52f932591a80f897fdb30bc504c25517139055949b71a2ea1b26bdb95a6dc37914490b38c1459c61a1999fc6198db69fe2368a22c7209

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\SupportAssistInstaller.exe.config

Filesize
538B

MD5
e97ac84664026547fb344425a89c0edd

SHA1
6fd4dc83604a75e8c8057fb3008d044da91e16e1

SHA256
e93f8fbaece629c2d4621e7ca82ec57d1f05a746a06f45f8b41a43413885e518

SHA512
465a0ff55c6911cd6dcd1fc20b9d80ae45213994ddcc61b5dfbf0f84ec1994b87618d430952b41e7a242af44682cb38fb490d9a3a4f5fa23f4725e0daf410038

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\log4net.config

Filesize
813B

MD5
f6f8cd68eabfb8b7131d0d4de878272f

SHA1
ddc0655264cfee990bcd96b834bcf6b0e76de7f9

SHA256
087197e3b5820d8b79cad05db5331ecc114e701f273571e2b833e01472897ea5

SHA512
617b6227542b25e0c53cf36897018e524895676d07ddbf95550c18091aaa1af23aedf2fb969b2c752364867d03252c624a537ffa23523e5bd10850e81b426e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66548b6-286a-4591-9d9d-6655bf9539b3\log4net.dll

Filesize
274KB

MD5
8cc649cf5d9c869294f03297a131ed86

SHA1
5f1891ea1dea67e854991c6ab0a720b158ec42df

SHA256
8e5122fc22ad819e37591d2302ffc1d840483ad9a2bf9e342301f75c3baab2c7

SHA512
d39aa488f7560385e5617ff9c4ea1693c5672e4b6d82371051a2f3eb289287be29d34a3d2e1ea3362961f3d675082596a77405685e0eae3b746fcee58e884dc6

Download Submit
memory/216-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4256-263-0x000000007392E000-0x000000007392F000-memory.dmp

Filesize
4KB

Download
memory/4256-264-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/4256-118-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/4256-17-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4256-14-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/4256-13-0x0000000000240000-0x0000000000370000-memory.dmp

Filesize
1.2MB

Download
memory/4256-12-0x000000007392E000-0x000000007392F000-memory.dmp

Filesize
4KB

Download
memory/4680-193-0x0000021EF8B30000-0x0000021EF8B38000-memory.dmp

Filesize
32KB

Download
memory/4680-257-0x0000021EFB8D0000-0x0000021EFB908000-memory.dmp

Filesize
224KB

Download
memory/4680-183-0x0000021EF8B00000-0x0000021EF8B08000-memory.dmp

Filesize
32KB

Download
memory/4680-216-0x0000021EF8B70000-0x0000021EF8B78000-memory.dmp

Filesize
32KB

Download
memory/4680-184-0x0000021EF8B10000-0x0000021EF8B18000-memory.dmp

Filesize
32KB

Download
memory/4680-188-0x0000021EF8930000-0x0000021EF8938000-memory.dmp

Filesize
32KB

Download
memory/4680-219-0x0000021EF8E40000-0x0000021EF8EF0000-memory.dmp

Filesize
704KB

Download
memory/4680-226-0x0000021EF8DE0000-0x0000021EF8E02000-memory.dmp

Filesize
136KB

Download
memory/4680-249-0x0000021EF90B0000-0x0000021EF916A000-memory.dmp

Filesize
744KB

Download
memory/4680-180-0x0000021EF8910000-0x0000021EF8918000-memory.dmp

Filesize
32KB

Download
memory/4680-182-0x0000021EF8950000-0x0000021EF8958000-memory.dmp

Filesize
32KB

Download
memory/4680-181-0x0000021EF8940000-0x0000021EF8948000-memory.dmp

Filesize
32KB

Download
memory/4680-179-0x0000021EF8920000-0x0000021EF8928000-memory.dmp

Filesize
32KB

Download
memory/4680-134-0x00007FFC5A0F0000-0x00007FFC5ABB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-256-0x0000021EF9040000-0x0000021EF9048000-memory.dmp

Filesize
32KB

Download
memory/4680-195-0x0000021EF8B20000-0x0000021EF8B28000-memory.dmp

Filesize
32KB

Download
memory/4680-131-0x00007FFC5A0F0000-0x00007FFC5ABB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-258-0x0000021EF9090000-0x0000021EF909E000-memory.dmp

Filesize
56KB

Download
memory/4680-261-0x0000021EFD0C0000-0x0000021EFD282000-memory.dmp

Filesize
1.8MB

Download
memory/4680-127-0x0000021EF65D0000-0x0000021EF65DA000-memory.dmp

Filesize
40KB

Download
memory/4680-129-0x0000021EF65E0000-0x0000021EF65E8000-memory.dmp

Filesize
32KB

Download
memory/4680-132-0x0000021EF6680000-0x0000021EF66C6000-memory.dmp

Filesize
280KB

Download
memory/4680-266-0x00007FFC5A0F3000-0x00007FFC5A0F5000-memory.dmp

Filesize
8KB

Download
memory/4680-267-0x00007FFC5A0F0000-0x00007FFC5ABB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-268-0x0000021EF8650000-0x0000021EF879E000-memory.dmp

Filesize
1.3MB

Download
memory/4680-269-0x00007FFC5A0F0000-0x00007FFC5ABB1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-126-0x0000021EF6600000-0x0000021EF6628000-memory.dmp

Filesize
160KB

Download
memory/4680-124-0x0000021EF6030000-0x0000021EF6120000-memory.dmp

Filesize
960KB

Download
memory/4680-123-0x00007FFC5A0F3000-0x00007FFC5A0F5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads