neshta | 541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403

Analysis

max time kernel
122s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
Size

455KB
MD5

ef1865f411ee6d335a598b5986b12060
SHA1

17bc37bbd07cd4629dfe63d357c3f355f11d5da5
SHA256

541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403
SHA512

fdfa9efb2651aae9ddc9e8feca8239b9fc90ac248c04edd03a45f756668b5c17fb38ea662bb14414d8860b65ba77ae7b5409abe8db7418f0ea0a9086e893e785
SSDEEP

6144:k9Em6g3oBxSPWMSRaR9bYLw5gQMwv2rn3:lmRaSaRiNSQMwv83

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-9.dat	family_neshta
behavioral1/memory/1240-189-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1240-423-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
3024	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
1216	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000009d6cc01788d802484fb53f686878bb13c9088c2cca440cc72375c62d909481a6000000000e80000000020000200000002855050947f77e824badac81be142eaa814715d54d0e14bb9b2b3e84e42d91e190000000f204b0126f62ece938293aac25a384e9b38338d41adc137c6c289a830680e556e01ad2b52285aa31e9b711b13aa22576065482d100ea8faaec0e4e706a5b38a3120f7392708d42965f3445b6999807f6724fee75bf7ca3881141978dc8dd131739ef835fea23edcfe3765f8ffde1796e71fe56dfa102dfffb322c81f6ab4d8da0a24dd6e572fba40e7a283bda869f437400000007c81e75d18b5448c681ae471de59c256f060e8a9bfc23da55b4d03931c6bf16d45d2e71328c3da751570c0f646320986c277d4612aedec83de7f59ce3a55b052	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9088ee6d1629db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436267258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97E72941-9509-11EF-86C1-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000034b5b1450831ec80a61e214c722fb507ce72c9cb52b4515dd51ce69feb6b9d7c000000000e8000000002000020000000d635337b5bcced75cff86ba4d855d6472213a8f88c1c3c26d638b3d26a51cd8220000000934cb405956e037090550ff7a7a2c80ba4dddd37dce3b6ba93cb14cc7f99434340000000a2b3e0e8cf85e5444690a1483a3267de5e891d8b074c7b781a381eb62b5739a2eb6414ae677e557e1dcd48ce0ce971aafd276db2af7dcc1d8536f228d3019f10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2492	iexplore.exe
2492	iexplore.exe
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3024	1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe	30
PID 1240 wrote to memory of 3024	1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe	30
PID 1240 wrote to memory of 3024	1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe	30
PID 1240 wrote to memory of 3024	1240	541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe	30
PID 2492 wrote to memory of 2968	2492	iexplore.exe	34
PID 2492 wrote to memory of 2968	2492	iexplore.exe	34
PID 2492 wrote to memory of 2968	2492	iexplore.exe	34
PID 2492 wrote to memory of 2968	2492	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
"C:\Users\Admin\AppData\Local\Temp\541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\3582-490\541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe"
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://zoom.us/support/down4j?os=win&err=20030000&v=2_6_1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caafb16a514ce35a29d2e6073f9b5e63

SHA1
595bc64cfec5db95ea89014c65f880d1548afa7e

SHA256
901e0f9ea319b48db3eee523da7c7a4c4e38e52851d96e245cd53c89f81238c2

SHA512
8f09f6d978cb3ea3561bf1e36d1e2317e1403761d4e26ad8e8dc23ce906c84093c5c36c4197217fdba01aa164e522f2bb04dafa1648c9298cf482ac8bbcae5a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14657ccf3111d6dfa33b489449640a05

SHA1
865cf9a897a6fa69c8ea534e28a864e470a7e7b8

SHA256
846fb54d579bae243a8abea4d9ad09aea025088490cf485009f3d150d14fe5e8

SHA512
7bbb6c5cc189fe5b64232ddc28be00e49b8ec78ddd7f164f3d7718a237498805e17e86835b74c3ad8c00885473c90ec7f6baf4ef2fd9cf48cdecfde4e867b9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c1812ae2370f131c3a8c4421e94fc66

SHA1
39d48a6504d9a139dcaf2b4657e07af3236ac34a

SHA256
704208e852bcb93c0edcd190c94c48b30cd923beb1d5d249fdba87cdecdba96b

SHA512
a0c51bd373c73067771ed682f7aa0cc53ba527686d6f1be9b39fa7ea142ebdb8cfa68fe359b8c7f80e88c8a796c29373ac95e8a49166de34c790940a73bd0b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d88b0b4f227f22cd8ea42cb100eccb9a

SHA1
da9509379e79ddef38e3926be8db2d2293cb4a0f

SHA256
02a18f8921dee13509f36e4a1a24491e3d33cbb775de11996667adb6e6dba526

SHA512
0cfd4bac7e0bc8a8caa986e1e16c179bb696e07aacb8c0d01540c02ba5a264405727bdee46e2cd1bce2bf5d67292d5ae2f9ac6da96bb1715b9d9292fa77203c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a02701680a68ff0fb70c992404956a4b

SHA1
60a948d764266576284b219b5aead5a2881edf99

SHA256
ed55ad4205a88db94ee25f6d772c1a14fea1db9cb1f02d6c7651f4280ca1cc0a

SHA512
5919d4d56d8adb5429715211bf715bd715ac418c57b5fa4a235cb5aa97cc0f6c403a05069e4dd65664fbb89c64afd961101f668dff505d89e3a04baf56a3a6f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12e58fe87d2d5dc053acb97a92673773

SHA1
44b343fabb28bed9e355a5ac851da50a750ea812

SHA256
7b9a0a7cfa6543d79b8c72efc04b325014d11df3e2c0bb35a8bfaa21be5f068d

SHA512
2d94cc3a0fb80bdfc0cdf1a6e41d22468de818b692d123d01f8ee91379f5e27f3a46376dffcb724ceff2b933da9b62d645ad994f1d744838a736ae1b90b1e981

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe118907b199cf92ae71875aebd9dcb

SHA1
dd7bf5b49852ea89a3ef8dbda1802df46b37bb04

SHA256
f7b857bd04909da4ee633610c28be9fea0c0a553264e6a95b4483c375c9f703a

SHA512
0f9b8d58706cc142b9bfee4160e3d234dfb861de1bdf24c6eb742fbe74be99ad712dd86e3b7c0de9915d91ff588d252e3db01e170858e80e66bf994054dc95c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90989de082fd52521dcb50b856742799

SHA1
78538d6373d2b3f799e881512a2e8498732bfc90

SHA256
6ba58e0509bbaa246b838c5c5ecfbba0925f5af93188bb5a03d21856400331c9

SHA512
1a2d641ad29f76323282481edc794a630a4afd60e51aecf91c44f18e7323349136f860393658266bbc8ad3499920bc90abcc4141252c927985225b9126227c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5f77bd0a31d3d514d44405f05627da

SHA1
4ab35313599e0670d271798990c85048c1c4cfa7

SHA256
5560ae803e6ab26ecb1f77af61b22b83edeb7356724cb79c0e50fe111bf95a40

SHA512
d9313412d720ed3159024b2524328e6489d4cd27c3ba23f5f02905b5764ad347059b59a3cb03ba4cdd8c0a7c32d039056baf48c6793c85611b916b6f7146d019

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76456a4662610a737d27e31b915dcba9

SHA1
3bf38728a5bf8a15b29382c19319dd73665c2cbc

SHA256
446f672ecf630136d1fb4c703d81377fb626d78cf2a0aed082f062f465e4e61f

SHA512
4aaba89b47474f0562d921ef4efefa6da33dddf2e67d07ccb8a9a5bd4098c9db82131a8812085a6b200dda0eb6851879b3ae3d2f345226894998b34191fd996b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86c37ded5931ae7ebe9f5f73e46d8e6a

SHA1
1aff898ebe764d6288ae43be29ebf88c66445062

SHA256
a22e7f506a81c5ed9285387f9eb794b33d966961a840556df9f7c9073d36a9e7

SHA512
85a135fdd0c89d7e84b07de3788c1f7c220e88c2879c611654f47972d5ba776a5b400f9aff90eab7af93f04d780fea97ef370d7a712333142c4126eae40a32bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd559f2a21ddcd7ddc2776ef78a1c4b3

SHA1
8f749788aabb94e15679c9f82920765dc2247709

SHA256
80a095c090c69de54122e29e9a95bb1f411fdceb2c3e19d6512e8e56fa413e1e

SHA512
9d00498f1cf657f04c5aaf779f51aae8a0b5f481937430bdf3f387e9e2da90f2e0d7718b73dffd64f5d8fc8e051eaf89e19b3fa827d31903e3d948bcacd33ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
090be5c172b078b7f1a76eefd6fb841c

SHA1
ac52630407b41bd84f4a333daa476eefd60a9da0

SHA256
3393721fe69e6503493c326616141f0c3f053732dafd2fe2acab3e5858a58b61

SHA512
e5eb54a30e95faf21452168aabf66fc92ca3076c318640d7f4808e446dc231aee92e0e846c5e9190af35a32708b5a5b0ae76416821460db02cd951be6cb97116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2d3866493b1dc03eb38636bd5ef2988

SHA1
5d1bd66c93b5bd1f1e1be9e1f5355b9bb97e264f

SHA256
d40d2f8e9bfcfc0b993b35eb8791ecc91a3cd339f11c463757aafe3d8a759584

SHA512
17cb05ac1405d23a78a0c57ef76a622e395e380449e98e2867d7ebbe1dc5b5e36804d1d4b75b373d46a43490feadd3159415e7cd728c5372a5fff808bd99f084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e766ea5b020c773819d0d20d58a4ab81

SHA1
ec2a5fa2941384b216627b056d9f6e1385555aeb

SHA256
0d11d2785afe35419d60de418a36e2ab5e521d2cab5ae1f2158b8e7319fbfb14

SHA512
05858477261d9b6161b0800ad323a6c1a4e6009740be5e5ce2b9eec0608e6f10a2448760d55a85b81e18bbef6fdda1201a77df4082687d065b2625d8d7ef2ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9de4dac25e1f6e18b06311d387f6e2d1

SHA1
c5d85b626121279bdf33e3e95952ccc73ca5e603

SHA256
4dc5104d2f367a907b061ff980faa9e5211674a38221c434e900d826ae2e12d7

SHA512
ae922c32e3484f991d4a0dbc8ec78b686ae7e1c1aae0e90ebb5c5dbc4fc458337e1277b01c802799eea3743ba49f23faf6a492a7aa0de6228a91cc42e914b502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68265f9b54b152ad791ce1be72e2287b

SHA1
7748e21c05271cc3b898d4fb78c24e693a65967e

SHA256
c05c2355e8f1961366cc47bcccc4ffa35e8d7ea52d26d74ff264fcf7baf56a31

SHA512
4592bb151a3a0230c076c0c23a0714741013f366259d40db60603a7860a93ce3aad6fc5f7a79e7ecc9e7f70ac0bc3cf1400cdd790e1f1233bc3bb0cda9878b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bce724cc57f7d1ea5ecfdb6e35467db6

SHA1
9255b0704abb69c69bac1458bfe223d79baea3f2

SHA256
b42d1ea1f3619221b5f03901ce2279ff5cc4754d8e5db32c0049e7506aa7e131

SHA512
ccd903ae2ff379f4e2a67374e251dc3f8d5a93297527769f9dcbb64a8fdc4fb0b6934e7245a9fcbe03287d073e3ba3855db50ec534a4f9d1347d4c30baeed1d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01edd23f7f9158f1ae23ddb58ba00d7a

SHA1
16309129231f6f15a13a939336c3eee07e5f36fd

SHA256
97b4c4ad253f9744468b1f607f087b7d4b47fe48d90cab8a20e507159cf9184d

SHA512
5bc1d42a458877f5332cfd4ad07d7c35d365eecb8185b77c2213398e837707f32da4f1009113b34ba396486fd375fc7bfb5ca5de93f87c1d85405e890ddebf5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09f21a3fdfc1148b23be4399b30b55d8

SHA1
c062cde26817a5ad0b802936d33b8ebf5c0c743c

SHA256
08dad073d8201eebac56fbc38bf9ed9c1161e449c127e1b111dcdf6e58b8dd2f

SHA512
a18e253fff60f5fe9bc05c455210fb58a8e7a255befdad59e39cdc88b8c3c5af476b62269d2615089d42e8a9896ec7bb7b3c5ae9aae73af21e96138d48b801e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70f85812b0b834962bb1b2ae615c3631

SHA1
bf5d906da16e3a83157e0ebf1202b95a56f7c5b1

SHA256
747c94c4d09e90a0e6031f057d0f5cd02bf7566013a8e4b2d0f4c18c95215684

SHA512
6c5686c42b9e7675c377804a4c43d435462a6584ee029b301be903f8c66fefdcdc5225088b90886ca01109617a52e96109aba79e0ea244d799ec390c06d338a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4c32b03d75809c6d15914cb98cf744

SHA1
933fd07e4e5ea7afe556bd48b101de77fc842567

SHA256
5cff1cd855a7d6626f3d53a282a31fddb38270eb0f96e6a78fa46642da34dc7b

SHA512
584c8d9fc445a6bb67fafd1150296e1b4e74f1149b9cfcf778f72721e0dac7d68a9adabf3d2da528562b4be0b2f797ee8b3cad5320f2c88e0f8d75f7588b316b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24c748366d7efd29d97fbd10b9b1e3c6

SHA1
f819fb40c13473cbfbe255f7ab9be28548c44fdb

SHA256
c00842e29137d596f670a34bcfaf07c5b116088cf8cd9d9d0ab07e831eeb829c

SHA512
69492fad6fc93a5b883a9fca0aab2096a8e5d5f960809d02ccc813ba3fb85338f56cb4a8d1e2193e2cd838d91cf0f8924ba177a4df812365be1f97d9717e2294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b49455bdc3b8ce3072a230ee3af4aa

SHA1
75d4f7434a2703ff6bf1c1d3292f869c64d993df

SHA256
1af6a4c5e3912a1a728a60a697156fbff1f461380589e298a52314afe53eec92

SHA512
00caf8e6d1f2a93ce902b815a3f70591fd298b35ce7b7c47338ccb7a6239019bb8b2ae12c9ef380a1c236b4129a711ee4780006e2da25909f4e3e4cbc080be04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
607060b9ee26bce76bf0b7dc0b3b9d1b

SHA1
9b6ff1a4ef901df123cf3b943dec5a9c93187afe

SHA256
d2ba6fb673c5bed1cd68f65b50101ae8e33e294c8f764bc258cd66adc8180591

SHA512
87e3347c801f718758b3ac49ccb6f98e6aefe768572bdea4077bdaef8491afed6a376c1decd3b480564eabab21565d3060e971256c5fe2525076e9aa20db8dc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4825442b4f40fd42a4586a49f3f1dc8

SHA1
785ee8de68efc5bd0d89c3a91ffb693dc935c01f

SHA256
836027b16e2d5b328ee50bbad1ec945abcc73600b9e18722292f89f9fe086b1e

SHA512
0c6f6885a78979f5cc32a1e13510e9794a8b254c64cb3fc667cb3dc67886b17afcb2cc4590a335fb8e34f49de9729fc58a080dbeba6d3d0d3b6bb684f6cc0dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43c39bc5dd48753697d0623af1ff1ca9

SHA1
da7d6a55d9168adffe6a0b6c96df5df762af33b1

SHA256
b1222118d32405e3293810bbcb4030bef956194250687810a2b1a11b9d4bf6a7

SHA512
e299a87f154ce2d5307d9ba76ea6c6d6f4a7be47d79e371fa6146e87e2a1e816ce84668e62f654cba8974f04d916560fd8ee36fb36bd1d8093a9c2be9dcc23d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a66d37043ce082c60ebfa27f791b94b1

SHA1
fbc24650fc20dfca031d9f6a632d289ade81b845

SHA256
6ae317bb9fb7eab529632582fcefb5c6ae46365689b41290187618ea926906b9

SHA512
227102006603418aa71d8e8b8be3b55fd09fd5c8c0886513e70fe76596fa92d390a426962810d2feeb4ec98c33c350a160d1f1b5b9e225ab91b0ee5e79fa3744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e8ae566f1cb664364ffad9b9708f3fb

SHA1
a76a4b61e352bb27f2c06df37ad2d80735dd0d28

SHA256
1e2dbbb79d4cdd8aaa66c31a4055a98916199ad45c2040b3e10032ba9e802d0f

SHA512
2c92ebf4528f69d0248fbeb2229dd5b96a59b593aa980869d416106afbb752fae1f157bf8e3ebc8d9d5aa27fa87c6a91c04fbe213b5d363c8b689d2a1c17c8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
411cfa3f5c95f98df2b287c976441497

SHA1
5ddc95f93f045f6a38bb7209e75d8b356adbfb35

SHA256
6ab0f9db952894c31c6e92963c6553198da515510566f4e7149286a65993fed6

SHA512
8f1277e9013d17fd31e4a98287be835818c7cc7555e45f1ccc834249c64cdfdbb87b46c433f3af35da7c876e7f4a709a156ca25eb601714589c74b4ae812efa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB76F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB7B0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\541eb776bdc2f8689f7d36d7321860cd2b96a76a5e0b4597466355e92fb52403N.exe

Filesize
415KB

MD5
c3464f9a7fec5d9c856ebec5947be8eb

SHA1
a372523f4ca1a4d1f4c8c7d8efccf4ffa42c06ee

SHA256
455d345e65b3994acbd921e318c91c968bdb2344d259b472dbd16a95787d8388

SHA512
cce63ac446a67a6977aee9a48c4552b6caf274c925f10541072618aa6505a18d172799b15e5b5eaf0ba89c685230ab7ad7e1a18aff4aa08cba0e5f913b5e2a9c

Download Submit
memory/1240-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1240-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3024-190-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads