gh0strat | 9b165f6672e74ed5dc437040829bd602afc411ce8c948c41b6d739bf1fbfb09a

General

Target

.exe
Size

2.2MB
MD5

b01a11449dd83a10497833b23fb0887d
SHA1

8f5276ee02a5b4b23cb7e9d500dd0df71382e211
SHA256

9b165f6672e74ed5dc437040829bd602afc411ce8c948c41b6d739bf1fbfb09a
SHA512

cf3634a8253c439d54233162db10b9668f080e184e4e1b52aae60db303e89d2ca9fead16097937a871d54685592b1b58e389d481b94f6c261d5caec98223ec81
SSDEEP

24576:ZFbkIsaPiXSVnC7Yp9zkNmZG8RRlnZyz/Iila8CJn0BgtscdTtOOa9pfthIDdsRQ:ZREXSVMDi350aFJqciOa925sRtMZ

Score

10^/10

gh0strat neshta discovery persistence rat spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/2756-130-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2756-131-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2756-133-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240618515.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240618515.bat"	look2.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation .exe
Executes dropped EXE 4 IoCs

Processes:

.exelook2.exeHD_.exesvchcst.exe

pid process

1512 .exe
2732 look2.exe
4912 HD_.exe
1132 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

2732 look2.exe
1060 svchost.exe
1132 svchcst.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" .exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	.exe

pid	process
1512	.exe
2732	look2.exe
4912	HD_.exe
1132	svchcst.exe

pid	process
2732	look2.exe
1060	svchost.exe
1132	svchcst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exelook2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240618515.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Program Files directory 64 IoCs

Processes:

.exe.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	.exe

Drops file in Windows directory 1 IoCs

Processes:

.exe

description ioc process

File opened for modification C:\Windows\svchost.com .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchcst.exe.exe.exelook2.exesvchost.exeHD_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_.exe

Modifies registry class 1 IoCs

Processes:

.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" .exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

.exe

pid process

1512 .exe
1512 .exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	.exe

pid	process
1512	.exe
1512	.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HD_.exe

description	pid	process
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe
Token: 33	4912	HD_.exe
Token: SeIncBasePriorityPrivilege	4912	HD_.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

.exeHD_.exe

pid process

1512 .exe
1512 .exe
4912 HD_.exe
4912 HD_.exe

pid	process
1512	.exe
1512	.exe
4912	HD_.exe
4912	HD_.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

.exe.exesvchost.exe

description	pid	process	target process
PID 2756 wrote to memory of 1512	2756	.exe	.exe
PID 2756 wrote to memory of 1512	2756	.exe	.exe
PID 2756 wrote to memory of 1512	2756	.exe	.exe
PID 1512 wrote to memory of 2732	1512	.exe	look2.exe
PID 1512 wrote to memory of 2732	1512	.exe	look2.exe
PID 1512 wrote to memory of 2732	1512	.exe	look2.exe
PID 1512 wrote to memory of 4912	1512	.exe	HD_.exe
PID 1512 wrote to memory of 4912	1512	.exe	HD_.exe
PID 1512 wrote to memory of 4912	1512	.exe	HD_.exe
PID 1060 wrote to memory of 1132	1060	svchost.exe	svchcst.exe
PID 1060 wrote to memory of 1132	1060	svchost.exe	svchcst.exe
PID 1060 wrote to memory of 1132	1060	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\3582-490\.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\3582-490\HD_.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\HD_.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240618515.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
4.5MB

MD5
073d630ea81c53f18796062b1c667152

SHA1
ff308bc904553637168648f88919c8bfc0f1037a

SHA256
d622a541c7043b2244728fad4b550969d19b9a9797571b8411843abc5cdb672c

SHA512
60d42ca073162d5d3188e500a6e798ac1934462885f796cf1c70a75c4cc396aacf6d71892595cdfdc0e1d4f8c665e0b9f1e09112cd97e42718aefa369d3618a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\.exe

Filesize
2.1MB

MD5
3e1b9039148d196063ab784e4548e798

SHA1
bb8c6ddf201aa6f3a23649fc7d206f6471f4f024

SHA256
c96306e907e6532cb82ae4d410a5ca72fd19955e28d4c209f7b2495da9925b88

SHA512
39c121a7bdb91074aac4af762cdb824d7bb78c71ac1bb4acf500293afb35e92dc49da65d91646ebbf03ae31d2428ac07409139e76bfef37c2451bc0c313af6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\HD_.exe

Filesize
896KB

MD5
8bacad1c57463f2e403ca5656ffa129e

SHA1
7cd8041fb1bd703d31f778700813531ed43882da

SHA256
bdec97ee615088549771300bd65d6114a74dd0a4c1ecc6bb4ffc8ac484f19fac

SHA512
40a5a0cabd2561b2d32ec14e91172db6f812d0e2dcc6cfda3a2f458e0994fc387324212bd47f21acb6d05bed151a96ad444a0a5a7f7bb35ae6fd0dcd57d25d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240618515.bat

Filesize
51KB

MD5
c3ac037ec51ccd9a87f3d5afe5d05a67

SHA1
b1f30d835f72992856597d3bfef4b595cac30162

SHA256
4f4f63931c808d8dc3f58b5396d67f9a86e6c19342c4b6557b30a8c95128d42b

SHA512
e9d3d20353a488f5a4f4df6d0207069bc8c92f6849a3ac64ef2964f8bd8ae62128c1e24c36f8475918f045e7f8cfdcad2be21004f3c44717aa554fc77ea177b6

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2756-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads