neshta | dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Size

8.0MB
MD5

522c36c342a2ead024c63b2ad4af7750
SHA1

9b41ce535eb7efb20a808e017b0f82d223656e51
SHA256

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95
SHA512

b67a86340fa3d74fa616e0f563b7bc500a6fcaa9cbc443bddebc1332355f0b9d2de771a9a46388a7472f3a1cd190307305745d15323a8fbdff9ad316ac3fef00
SSDEEP

196608:XbEGIvoTLRugGP9N2WDxovI1QBujVv13n:gGT9O9NL2giBujR1X

Score

10^/10

neshta discovery persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010318-13.dat	family_neshta
behavioral1/memory/2308-200-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2308-546-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2308-549-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
264	psiphon-tunnel-core.exe

Loads dropped DLL 5 IoCs

pid	Process
2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	37.46.117.43
Destination IP	198.244.252.11

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015da1-2.dat	upx
behavioral1/memory/1972-16-0x00000000009E0000-0x0000000002186000-memory.dmp	upx
behavioral1/memory/1972-201-0x00000000009E0000-0x0000000002186000-memory.dmp	upx
behavioral1/memory/1972-547-0x00000000009E0000-0x0000000002186000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon-tunnel-core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6318D6E1-A5B3-11EF-85C5-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000a38adc4554b8935cc39fade512cb96d69b850774daee4c74b230eac39a476c14000000000e800000000200002000000015b80736a66713bf6b505792ef0f8c89cd31d23d89ba2d53445374a2503ffca620000000ef78c3b290789dcbeed78778754ceb66baa011b17f66f4775e1fab19eb80e5c040000000f8f50bda05312b5513e322ca4fb3a160ab0b129b6dd2bf50334f114d8be63e4cf78a32d4e948e1509981c4aae4fa50a8e0eb5df064d0c7530b02ba6dca0c28f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30dfef38c039db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000001a82bd16c21b669f5778741d501b6e1b45d4591b57afbf8b7b27ebae9ee64aec000000000e8000000002000020000000c1c1a92e79a6551449aed0548e0a121320e4271953253681247ffc398d2f39ec90000000782f258a5749f61d116042a21302f42d0bc6873ccae6131f858f0cd3d019b7d447365b370d2a647f0f12fa8d4beffbbd461ef6f819912078e96d0a5c360f335cee62f6fddf95810a8b6363a1f4e801dd7a17964ddd238649181d844d53d4d6f01cb2d3d352429744a26b3effeb6acc647b1cfdc4e59da0c6775fd10d1196227be65a3a956ca62d9c04d8df439b1565b740000000d2cf4399015beb6e19287408a52bb82db035f7f4f7affe8c959a228fa52450cfd89d0e7325d38ec0337d52c162883941b0601f2cf60070e20df3b035af5cf3e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438099403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\shell\open	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe\" -- \"%1\""	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\ = "URL:psiphon"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\URL Protocol	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\shell\open\command	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\psiphon\shell	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1248	iexplore.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1248	iexplore.exe
1248	iexplore.exe
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE
532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1972	2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	31
PID 2308 wrote to memory of 1972	2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	31
PID 2308 wrote to memory of 1972	2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	31
PID 2308 wrote to memory of 1972	2308	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	31
PID 1972 wrote to memory of 264	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	33
PID 1972 wrote to memory of 264	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	33
PID 1972 wrote to memory of 264	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	33
PID 1972 wrote to memory of 264	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	33
PID 1972 wrote to memory of 1248	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	36
PID 1972 wrote to memory of 1248	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	36
PID 1972 wrote to memory of 1248	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	36
PID 1972 wrote to memory of 1248	1972	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	36
PID 1248 wrote to memory of 532	1248	iexplore.exe	37
PID 1248 wrote to memory of 532	1248	iexplore.exe	37
PID 1248 wrote to memory of 532	1248	iexplore.exe	37
PID 1248 wrote to memory of 532	1248	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
"C:\Users\Admin\AppData\Local\Temp\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
    C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:264
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=174&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE4MyIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0xMS0xOFQxMzo0NTozNi4xNzZaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1248 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f2ccf37c8a3d8e334c9413429e2bfe3f

SHA1
94c814215e11b1625073136420f6827a94279b43

SHA256
38956aacdcc101d9cd24674cdeb7064a6f3cc0b8e1311de08a124ce8a4436873

SHA512
a284a69bdb6d6d92a3c0227cf282b03ef5abeaa4dbca5cdb4e9fed20f3f1f35e3a4235a57da2994e4918b57e334465ebccb2161b3b75c468114d7586dcbc63b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b8a33bf638fe8565e1f4e4c07824e792

SHA1
5608e061d0f9106f00207e9732b8cd71d9c8b003

SHA256
309ae91e157273199be9406218f7aa2c4812a0ef8540fe73ed7065df0492085b

SHA512
0ac3121bf158371f1f9595e28f39f782e6a2e681546052b605454110117943e7a4038496c255c13207b386e189806485880ccee9b50bdb530ac04a9acaddbb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
15KB

MD5
ace3b6e59d09fe6f450aea40be691d31

SHA1
9b87e85d1651fc5601280a6c9c8ffc953d63da67

SHA256
31113f0fb6d402a077c785387f0b969f9334f36501703bc7906213b763bdde74

SHA512
a3a25a96744c42cf09991f08b7f6d9037134c50db70e20a4dd40e40a840bdc2bd0cda1cef60a733154b28762f3c623fcdc38da882a4577323565ef7f68804264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\favicon[1].ico

Filesize
14KB

MD5
f210fc0564ae5a5a2985b2848e75cba2

SHA1
29bf0540e4c291cc6c6d071ac8125cc65314fbe9

SHA256
d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec

SHA512
46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod

Filesize
4B

MD5
5ad5cc4d26869082efd29c436b57384a

SHA1
693dad7d164d27329c43b1c1bff4b271013514f5

SHA256
c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1

SHA512
36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
115B

MD5
62a248db4ef6e7ea55e71745c999102c

SHA1
e4f70e8e30d887ffeb4ebea7f9d0aeef49c87e38

SHA256
04504f7d96c94bcb3caadd0cd5c33745eb72e08daaa4c0a0bfd10ce908a0d58f

SHA512
eb0d3f69def6d68670131f27900152b74e7922ba3278767e9da29d58c819a648e6f914decbac92634166559b318699fab12eda510b665ee13dc70d8b41be5265

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
252B

MD5
98e3e194b6064e3d535d492cf22491c8

SHA1
33195833b1bb6c0c62828ddd825e17408b8e2727

SHA256
b2379377c761bc2ca59f344872751bdb8e9a148c45f56826d394a9314f425907

SHA512
dcb0866540c6f02df57cbb8875d0d80294364f4d1f13b7538641c8cc6c21d54f66d7372e2413c3ee997d553b8a5a7657438990c3f9e5e19910c38af545b8d1bd

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
291B

MD5
f7189e5484e23dc8764973c46ee8725e

SHA1
bcf58f26a8ce05ad6875209543f4822d83803620

SHA256
4a198d5059b7e1f7fc306ff30b0a31e86bd4e2e1f2b85ab6b9a9cde9511e99c0

SHA512
fb93364a3a49c6df0fb9f7b2dd2a83c3cc46268fc003e241a19b76dca695fdd32db3f38e2da4a66fe77ae368d25c443b6ce7dd9e96d6f472caeea2172a59c736

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
276B

MD5
2233f4cde4cdd2c403b2fa073d9d1df0

SHA1
ba3dd7fc9c9383f46cf201446c694b58d1d28c4f

SHA256
80ff717ffedb7084d84b94ecc89092b3648fb8e5a6304ef5fcd01ca517b6e954

SHA512
8f57fb83fc0c372045a449a46dc45ce6095929404b528e71ac4c9acd3adcabde96b6c44e24b3d023507e4da22bfdc123f1fbe328d017dc84628b337320160b0d

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
593B

MD5
61b00cb4cb65ad9d4111d5de7461792d

SHA1
3c27bbae5ed1ed177b33f68f5670d94e80d6bbdc

SHA256
adcb818ee026381ccf854eb5a0a39fe6d3376b2699240beab4dadaea4f6ac833

SHA512
6cc15e8ac60c22026358b95e923310bd4b8aa9d9a57dcf8dc4f2b61f77596aed6199985105667bfbe79e017791425995c7d22bea4892408d711e0175cdaf85f1

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config

Filesize
17KB

MD5
626c259d4f21c12c4efafb0aef47b7d6

SHA1
332f52b7fff95b209dfee8d7279adbfeadc8b85c

SHA256
9aaf5435e81f5e9f9878064733e57e3beeeb32b5d8caaa4b0afabfe3c8cdd2ec

SHA512
f9c14d50c3c6b6032149f764fc38021abee1d010b061dea494939d3f1c7844911b2b817d845f1e0a57846e016dd748bd2feb293a2caaf4d969b5666df564368e

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat

Filesize
320KB

MD5
d629c4e4395d500e89c53eb9a7c4a26b

SHA1
056dbb9bd2a90aaff70ebb08556f16f0b144a7be

SHA256
af02a6ddc9c38bb071ed1d678b5a671776b9b3bd39d0d26a4c5b54d0f294a804

SHA512
be6180b193b4728ba3600d0bead6469008f5c89a11b48c8509a84a2513879450ae4d48b2ad7f166cdd4761f1e4be231258444d9cbe8e8b18276198e59b529db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab15F2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar16DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Filesize
7.9MB

MD5
211017096c92e42d8dc2d0a6ddcac477

SHA1
474fbd4c2e2e7315edf92dd67634d53c193ba6d2

SHA256
9c289b55f00ea5fe9e5b356410dc2f2cca9cbb0a5e5c4ddc1a979deb817c9e3d

SHA512
61ad5af2a851f48de57630d689b851527421807a28130d3087a616558792e730aeec03a1c77a87988e7ac8c6a7036ab4a5e79a44cd76a559c6e4eba3060eb9aa

Download Submit
\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe

Filesize
17.8MB

MD5
960c1f54186fbb7f07d38c9865d5a2c4

SHA1
9d2b5eb822f625845b097bd92b3714bdbb3d832a

SHA256
040e4abc1988b331fea0ea208df38032d065ac65177209c5ad19b5bf082c62fa

SHA512
e0ab2243b2d7753439e50561b685f7de84d651623598cf28f160a5b37d63b1664594ad84e48db54f15395bf26c2684eeffa055381312aa469330df5397ab49a1

Download Submit
memory/1972-201-0x00000000009E0000-0x0000000002186000-memory.dmp

Filesize
23.6MB

Download
memory/1972-547-0x00000000009E0000-0x0000000002186000-memory.dmp

Filesize
23.6MB

Download
memory/1972-16-0x00000000009E0000-0x0000000002186000-memory.dmp

Filesize
23.6MB

Download
memory/2308-277-0x0000000002EE0000-0x0000000004686000-memory.dmp

Filesize
23.6MB

Download
memory/2308-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-546-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-549-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-217-0x0000000002EE0000-0x0000000004686000-memory.dmp

Filesize
23.6MB

Download
memory/2308-17-0x0000000002EE0000-0x0000000004686000-memory.dmp

Filesize
23.6MB

Download
memory/2308-14-0x0000000002EE0000-0x0000000004686000-memory.dmp

Filesize
23.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads