neshta | dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Size

8.0MB
MD5

522c36c342a2ead024c63b2ad4af7750
SHA1

9b41ce535eb7efb20a808e017b0f82d223656e51
SHA256

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95
SHA512

b67a86340fa3d74fa616e0f563b7bc500a6fcaa9cbc443bddebc1332355f0b9d2de771a9a46388a7472f3a1cd190307305745d15323a8fbdff9ad316ac3fef00
SSDEEP

196608:XbEGIvoTLRugGP9N2WDxovI1QBujVv13n:gGT9O9NL2giBujR1X

Score

10^/10

neshta discovery persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 7 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2892-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2892-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2892-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2892-548-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2892-550-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2892-553-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Executes dropped EXE 2 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exepsiphon-tunnel-core.exe

pid process

2792 dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2632 psiphon-tunnel-core.exe

Loads dropped DLL 5 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exedd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

pid	process
2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 146.70.26.29

description	ioc
Destination IP	146.70.26.29

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	upx
behavioral1/memory/2892-14-0x0000000002910000-0x00000000040B6000-memory.dmp	upx
behavioral1/memory/2792-15-0x0000000000D50000-0x00000000024F6000-memory.dmp	upx
behavioral1/memory/2792-111-0x0000000000D50000-0x00000000024F6000-memory.dmp	upx
behavioral1/memory/2792-112-0x0000000000D50000-0x00000000024F6000-memory.dmp	upx
behavioral1/memory/2792-174-0x0000000000D50000-0x00000000024F6000-memory.dmp	upx
behavioral1/memory/2792-278-0x0000000000D50000-0x00000000024F6000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Drops file in Windows directory 1 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description ioc process

File opened for modification C:\Windows\svchost.com dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exepsiphon-tunnel-core.exeIEXPLORE.EXEdd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psiphon-tunnel-core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEdd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438099657"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000009a8b11aadc95b8af03102a4392518b48ab57df0cd90128d5821b6276e6289896000000000e80000000020000200000002c81542aafe5d87f6e01cbaed37f4f2b75c938a99b1cf18c5b5eeb0d86cf493f2000000080bd4506833c033deabece2f1359cc221879fd36ef40918ca6df1c32420ce610400000004f36bfb164f9ea21167c2b63bddd63006c59e80f0630a3acc696803f04a65ab4770cf2533fea5b86371b93e78427bbfd1badd7fa7ad044a0e32dbc4b80b257c9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F991B6A1-A5B3-11EF-8B1E-52DE62627832} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5022becfc039db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000224f4ed7cc66333cd98384ce489d1cd389dc4b2dd718dfd4029b58511339c007000000000e80000000020000200000007d7a4b23d49cb5d0427ea39d64dd696131777db7e913ec50bc228882d925be8b90000000874e2ac03148e02115f067517714b85665476ebc4e2cfe0f1a92d5f5087c8b6ef84299366429cc787678618dc331628606d9fd995ea6c624a032fb02bb38d32b6ea49feff120355b7ab094c4f35c165b3edf643257a436784395e644cc77288f1b71ccc4ea6836be3b23ee75e460c7346d717bc4e0b39098f3f8047161fbbaeb369b31bb961d45a4634002058c88d83d40000000b54b750b34a3da219c2046e44d48c846c3d906b21c623fbba6bbcb50b5e280ea09bcc1ffb42a6d84703c208eef4243b18ecbf43c1cdf08f2ca9bbe188f3ae81c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 8 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exedd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\ = "URL:psiphon"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\URL Protocol	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\shell\open\command	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\shell	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\shell\open	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe\" -- \"%1\""	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\psiphon	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exeiexplore.exe

pid	process
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1568	iexplore.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

pid	process
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exeiexplore.exeIEXPLORE.EXE

pid	process
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
1568	iexplore.exe
1568	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exedd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exeiexplore.exe

description	pid	process	target process
PID 2892 wrote to memory of 2792	2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
PID 2892 wrote to memory of 2792	2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
PID 2892 wrote to memory of 2792	2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
PID 2892 wrote to memory of 2792	2892	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
PID 2792 wrote to memory of 2632	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	psiphon-tunnel-core.exe
PID 2792 wrote to memory of 2632	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	psiphon-tunnel-core.exe
PID 2792 wrote to memory of 2632	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	psiphon-tunnel-core.exe
PID 2792 wrote to memory of 2632	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	psiphon-tunnel-core.exe
PID 2792 wrote to memory of 1568	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	iexplore.exe
PID 2792 wrote to memory of 1568	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	iexplore.exe
PID 2792 wrote to memory of 1568	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	iexplore.exe
PID 2792 wrote to memory of 1568	2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe	iexplore.exe
PID 1568 wrote to memory of 1348	1568	iexplore.exe	IEXPLORE.EXE
PID 1568 wrote to memory of 1348	1568	iexplore.exe	IEXPLORE.EXE
PID 1568 wrote to memory of 1348	1568	iexplore.exe	IEXPLORE.EXE
PID 1568 wrote to memory of 1348	1568	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
"C:\Users\Admin\AppData\Local\Temp\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
    C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=174&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE4MyIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0xMS0xOFQxMzo0OTo0OC42MjZaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
347103eb2d0c4cf91bf97ffe61e37003

SHA1
bc8df6d0b13cd44089dc79116ad5a9c8678595d1

SHA256
0d63b927ef8ca32457c3e08766eef7a0a2097d41fd320b50354836e9da544ffa

SHA512
f49782fa49cd4bc57dfd30ef2800c09f9daff5eded35e37c6053d46e7defddc2324b28a25f7a296d7a7b6ac63e66a7db6d84d8412137e6646aafdc26fef51f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f876af90cec81e5d2eb51490874e23e9

SHA1
7600c48dd3497e17e4b491330811d6ba5f1f58c3

SHA256
40dd7b97e4b5abaa738c1419eec536789dc5e02d4c458e2ed5d9d7439419cd09

SHA512
a76bdbf657718aaf3726ff451f36aa1a3b29946927873f676c7e163389cc84291bd889ce59c39745f205ba3407667a9f636d572c7374748971d4456f84f212e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5f82c1e2c178ba4246d3b2cd09a03b71

SHA1
a89792521d538bc72f89fa9f082bbc25f1905a3f

SHA256
cac0c77b1d02ae8c1a429bd5cb0bf9ff1640dcd27884f04280b5f9b15df49473

SHA512
86d60d931162c019a55a5e168dcdd92c621bed8bf278666884604ed793c0963b0bd42ca1d2d0eda77864e7c6a618c9c6667635021fe6268af8b642e9615f8b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
15KB

MD5
2fd07706e4d0c40cb64524b10e8bc4ef

SHA1
ad777755f67e4a3b419c58a66699accbd1a722c3

SHA256
88b5daec9943f56bf3068ea3d274a2be34af0033f4ef745dccf91bd50323db42

SHA512
b8a8c2b95c64d8face212b0077b8dd234baff996770468f42ce4c2b1eb341879427a1e4f866fb7c8e7606bb714fd95b9724cb5aaf3b0160b0714779a6468cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\favicon[1].ico

Filesize
14KB

MD5
f210fc0564ae5a5a2985b2848e75cba2

SHA1
29bf0540e4c291cc6c6d071ac8125cc65314fbe9

SHA256
d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec

SHA512
46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod

Filesize
4B

MD5
5ad5cc4d26869082efd29c436b57384a

SHA1
693dad7d164d27329c43b1c1bff4b271013514f5

SHA256
c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1

SHA512
36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
115B

MD5
28cdc3223daa005af47d17e317ccc564

SHA1
f89a91918bce8baefab8bc46cbc3366e77a124a9

SHA256
036fdbebe00b3ad5d47d1381eaac6182430bba4e1a08fd6f7f3b7d571463554e

SHA512
7bd32b491602218a77746c0ef792fe59b7bd6cf7acb97a32635a647456532df6a11d6e805d81fee75d0eb8da706219203cec7dc700ac07e4e292bbc707bd0807

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
252B

MD5
2db1f8738882d0e712f5e0a13e90ac69

SHA1
8a3601e9b7c1b77115db1fab3fb01a0eaab74a4f

SHA256
3d51791dc2f50de54ee7ee9b04a171c068ee7971535e0b6c319b111aade3b52c

SHA512
9b7b8fb5d98805ea060a30aece88dd0f1571810e42c911502aab1201eb72687365daa6e899ab01a0b1408cdc9d73d984f7b84b3ae797f00743a7e9c4cc5b8c4d

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
291B

MD5
388c8cc9fb6edc26f3fb3629a48c03d8

SHA1
2067711fb17877c44a313e711de8e2852ade3277

SHA256
9e372cc9e2efd79da3c85b673f5a9c6e11efe5d8b93a2c14422e65ea4d870ca6

SHA512
a17ae2e42290693a6c79c4afc806a1d8ec033e3b44c0f0c3a81c770d4940d28ba4c0dd33629eb55035afdc8b18cc86754b05d6509343c85c0d4b585a54254bfc

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
1KB

MD5
16c50642b7974146321658897ddaa98f

SHA1
b41c5435afeb867e6284a35e26ca41542c7e2566

SHA256
c0504bb7042344b5446bb0cf4cd665635d6e488a41ce238b566dceeea0326860

SHA512
4be703e569d0463ddc8ac5a27b6ec365db646bcee9a9ac4d315d48841c38fbda45adc029658aff3170d52ebc3146eb4722c1020f62aea816479dea63fc0a2d12

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
276B

MD5
61d2a9a8b9cfbd014c1a014c8509e3c6

SHA1
a8e9228aa39e44fd5bea67712c73a4ea2b0c3c5c

SHA256
57a81877bfba7fc22c5c96dfaddc06d5c37cbdbf3b4e93110c95106e511ac780

SHA512
d30c54d320e3c8d816d39794ca744f4a5b3d97bfd81a83f77b989a5d0d211c6faaf9cfa686e03f13c9954cbe8a4c6811ce3e5402a7700e78f65fc869cbe1100d

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

Filesize
594B

MD5
4eaff89f2fd8619aeab0bcfb79fa5aaf

SHA1
76e49b0d1169d48543a528cef4afe4afe5fe7079

SHA256
f7de387a84d58f4cd3203e4ef5ea9bc562fc4f758da1b65d6addbd0ef6fc7666

SHA512
8092da76e69498f8ef1900c3c40935b435d57363258c4085b6fe1de900d346757c0328cf363d1f367ddb081a27ab7fab001d9275a3723da3f135776ac48a55b2

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config

Filesize
17KB

MD5
626c259d4f21c12c4efafb0aef47b7d6

SHA1
332f52b7fff95b209dfee8d7279adbfeadc8b85c

SHA256
9aaf5435e81f5e9f9878064733e57e3beeeb32b5d8caaa4b0afabfe3c8cdd2ec

SHA512
f9c14d50c3c6b6032149f764fc38021abee1d010b061dea494939d3f1c7844911b2b817d845f1e0a57846e016dd748bd2feb293a2caaf4d969b5666df564368e

Download Submit
C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat

Filesize
320KB

MD5
d629c4e4395d500e89c53eb9a7c4a26b

SHA1
056dbb9bd2a90aaff70ebb08556f16f0b144a7be

SHA256
af02a6ddc9c38bb071ed1d678b5a671776b9b3bd39d0d26a4c5b54d0f294a804

SHA512
be6180b193b4728ba3600d0bead6469008f5c89a11b48c8509a84a2513879450ae4d48b2ad7f166cdd4761f1e4be231258444d9cbe8e8b18276198e59b529db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE522.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE62E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe

Filesize
17.8MB

MD5
960c1f54186fbb7f07d38c9865d5a2c4

SHA1
9d2b5eb822f625845b097bd92b3714bdbb3d832a

SHA256
040e4abc1988b331fea0ea208df38032d065ac65177209c5ad19b5bf082c62fa

SHA512
e0ab2243b2d7753439e50561b685f7de84d651623598cf28f160a5b37d63b1664594ad84e48db54f15395bf26c2684eeffa055381312aa469330df5397ab49a1

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe

Filesize
7.9MB

MD5
211017096c92e42d8dc2d0a6ddcac477

SHA1
474fbd4c2e2e7315edf92dd67634d53c193ba6d2

SHA256
9c289b55f00ea5fe9e5b356410dc2f2cca9cbb0a5e5c4ddc1a979deb817c9e3d

SHA512
61ad5af2a851f48de57630d689b851527421807a28130d3087a616558792e730aeec03a1c77a87988e7ac8c6a7036ab4a5e79a44cd76a559c6e4eba3060eb9aa

Download Submit
memory/2792-15-0x0000000000D50000-0x00000000024F6000-memory.dmp

Filesize
23.6MB

Download
memory/2792-112-0x0000000000D50000-0x00000000024F6000-memory.dmp

Filesize
23.6MB

Download
memory/2792-111-0x0000000000D50000-0x00000000024F6000-memory.dmp

Filesize
23.6MB

Download
memory/2792-278-0x0000000000D50000-0x00000000024F6000-memory.dmp

Filesize
23.6MB

Download
memory/2792-174-0x0000000000D50000-0x00000000024F6000-memory.dmp

Filesize
23.6MB

Download
memory/2892-94-0x0000000002910000-0x00000000040B6000-memory.dmp

Filesize
23.6MB

Download
memory/2892-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-548-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-550-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-553-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-16-0x0000000002910000-0x00000000040B6000-memory.dmp

Filesize
23.6MB

Download
memory/2892-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-14-0x0000000002910000-0x00000000040B6000-memory.dmp

Filesize
23.6MB

Download

pid	process
2792	dd8e7f680116afcccaa00c8cc896f7c88a0868f243cb336d867629ae2efc4b95N.exe
2632	psiphon-tunnel-core.exe