neshta | 47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456

Analysis

max time kernel
5s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
Size

8.0MB
MD5

672f20e0888c88b5b086e9f5a3060470
SHA1

02a8980c21d82accc2d46e3ce3ae2a8751760b70
SHA256

47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456
SHA512

d4fd81517c33d9553cd63c850347bb9ba83f9c070169b0d52b6bb6063fdf549f7fe21d5a33fc956eb04d5d0e64c7b2a32b56028094cf958677cb2f12b56dfa23
SSDEEP

98304:Cmtk2aJmtk2aVmtk2aGmtk2aVWW8iYgdTl3Z6FTwpNgV9pNYrTtRaVyjEHRrnhby:RN1cqWWEKZ8Um3qT58ndrIaC2wak9

Score

10^/10

neshta xred backdoor discovery persistence spyware upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 10 IoCs

pid	Process
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2748	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2900	svchost.com
2072	_CACHE~1.EXE
828	._cache__CACHE~1.EXE
2168	svchost.com
1808	_CACHE~2.EXE
2784	._cache__CACHE~2.EXE
2676	Synaptics.exe
1740	svchost.com

Loads dropped DLL 20 IoCs

pid	Process
1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2900	svchost.com
2900	svchost.com
2072	_CACHE~1.EXE
2072	_CACHE~1.EXE
2072	_CACHE~1.EXE
2168	svchost.com
2168	svchost.com
1808	_CACHE~2.EXE
1808	_CACHE~2.EXE
1808	_CACHE~2.EXE
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
2676	Synaptics.exe
2676	Synaptics.exe
2676	Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-298-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/2876-401-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/1776-511-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/2364-528-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/2840-553-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/2876-595-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/1776-612-0x00000000002D0000-0x000000000088B000-memory.dmp	upx
behavioral1/memory/2840-623-0x00000000002D0000-0x000000000088B000-memory.dmp	upx

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2328	1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	30
PID 1736 wrote to memory of 2328	1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	30
PID 1736 wrote to memory of 2328	1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	30
PID 1736 wrote to memory of 2328	1736	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	30
PID 2328 wrote to memory of 2748	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	31
PID 2328 wrote to memory of 2748	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	31
PID 2328 wrote to memory of 2748	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	31
PID 2328 wrote to memory of 2748	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	31
PID 2748 wrote to memory of 2900	2748	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	32
PID 2748 wrote to memory of 2900	2748	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	32
PID 2748 wrote to memory of 2900	2748	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	32
PID 2748 wrote to memory of 2900	2748	._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	32
PID 2900 wrote to memory of 2072	2900	svchost.com	33
PID 2900 wrote to memory of 2072	2900	svchost.com	33
PID 2900 wrote to memory of 2072	2900	svchost.com	33
PID 2900 wrote to memory of 2072	2900	svchost.com	33
PID 2072 wrote to memory of 828	2072	_CACHE~1.EXE	65
PID 2072 wrote to memory of 828	2072	_CACHE~1.EXE	65
PID 2072 wrote to memory of 828	2072	_CACHE~1.EXE	65
PID 2072 wrote to memory of 828	2072	_CACHE~1.EXE	65
PID 828 wrote to memory of 2168	828	._cache__CACHE~1.EXE	35
PID 828 wrote to memory of 2168	828	._cache__CACHE~1.EXE	35
PID 828 wrote to memory of 2168	828	._cache__CACHE~1.EXE	35
PID 828 wrote to memory of 2168	828	._cache__CACHE~1.EXE	35
PID 2168 wrote to memory of 1808	2168	svchost.com	64
PID 2168 wrote to memory of 1808	2168	svchost.com	64
PID 2168 wrote to memory of 1808	2168	svchost.com	64
PID 2168 wrote to memory of 1808	2168	svchost.com	64
PID 1808 wrote to memory of 2784	1808	_CACHE~2.EXE	37
PID 1808 wrote to memory of 2784	1808	_CACHE~2.EXE	37
PID 1808 wrote to memory of 2784	1808	_CACHE~2.EXE	37
PID 1808 wrote to memory of 2784	1808	_CACHE~2.EXE	37
PID 2784 wrote to memory of 1740	2784	._cache__CACHE~2.EXE	38
PID 2784 wrote to memory of 1740	2784	._cache__CACHE~2.EXE	38
PID 2784 wrote to memory of 1740	2784	._cache__CACHE~2.EXE	38
PID 2784 wrote to memory of 1740	2784	._cache__CACHE~2.EXE	38
PID 2328 wrote to memory of 2676	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	39
PID 2328 wrote to memory of 2676	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	39
PID 2328 wrote to memory of 2676	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	39
PID 2328 wrote to memory of 2676	2328	47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe	39
PID 2676 wrote to memory of 2000	2676	Synaptics.exe	40
PID 2676 wrote to memory of 2000	2676	Synaptics.exe	40
PID 2676 wrote to memory of 2000	2676	Synaptics.exe	40
PID 2676 wrote to memory of 2000	2676	Synaptics.exe	40

C:\Users\Admin\AppData\Local\Temp\47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
"C:\Users\Admin\AppData\Local\Temp\47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\3582-490\47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        11⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        12⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        13⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        14⤵
        
        PID:2364
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      PID:2000
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        5⤵
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        6⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        7⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        8⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        9⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate
        10⤵
        
        PID:1628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        11⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        12⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        13⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        14⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        15⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        16⤵
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        17⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        18⤵
        
        PID:2876
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        17⤵
        
        PID:1524
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        14⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        15⤵
        
        PID:2288
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
        12⤵
        
        PID:2868
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        7⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        8⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        9⤵
        
        PID:1960
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        10⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        11⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        12⤵
        
        PID:300
        
        C:\ProgramData\Synaptics\._cache__CACHE~2.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~2.EXE" InjUpdate
        13⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        14⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        15⤵
        
        PID:788
        
        C:\ProgramData\Synaptics\._cache__CACHE~3.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~3.EXE" InjUpdate
        16⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        17⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        18⤵
        
        PID:1776
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        
        PID:1764
        
        C:\ProgramData\Synaptics\._cache_Synaptics.exe
        
        "C:\ProgramData\Synaptics\._cache_Synaptics.exe" InjUpdate
        14⤵
        
        PID:2280
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:828
        
        C:\ProgramData\Synaptics\._cache_Synaptics.exe
        
        "C:\ProgramData\Synaptics\._cache_Synaptics.exe" InjUpdate
        11⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        12⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        13⤵
        
        PID:1916
        
        C:\ProgramData\Synaptics\._cache__CACHE~4.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~4.EXE" InjUpdate
        14⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate
        15⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate
        16⤵
        
        PID:1120
        
        C:\ProgramData\Synaptics\._cache__C578E~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__C578E~1.EXE" InjUpdate
        17⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        18⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        19⤵
        
        PID:1864
        
        C:\ProgramData\Synaptics\._cache__CACHE~2.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~2.EXE" InjUpdate
        20⤵
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        21⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        22⤵
        
        PID:1640
        
        C:\ProgramData\Synaptics\._cache__CACHE~3.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~3.EXE" InjUpdate
        23⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        24⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        25⤵
        
        PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1508

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1504

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
1bd32548884b3c856e40b1c4b2c7c1be

SHA1
71a8934e6a93720734c5da3e573781804790916c

SHA256
e7c3ef83d115a98ef4387fce71db23af764c53fcfa97f3db80f7b5442f7e4291

SHA512
120c93b076e50bfc1ef7ac007d742c8d211d23db31444ae7d68ed25ca371e26830a6f5080c3bc40f1b1039e5ba05cdb715c213b07b4d41653cb6a48368101532

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
1eb833dedf61e4c0d4d36fe1f4c4f9e6

SHA1
e530e69694513cf6ef33c7b3f5d11b2e4d8d21c9

SHA256
b88c6d6e0a64d510512dbddc966fd8d90cf72501a14a726d1e69a817b1546fac

SHA512
8ab8ab0530c07ec53049829428de83651f2fa422c59c494075a74ed59ded02281bb10968622e1f7f97a3e0cab447eb8451e70e3830dfdbfb8d07a6409c849450

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
ef407e57ff5f479834048ed0689a9005

SHA1
84345aa2990f760a74ca346504f3a110d61be769

SHA256
017353dbaabb5e4f3205573df2e89dd652c9f63e38074c5fa21704c48b15918f

SHA512
56bcc330e5f0411cc907ec0b910405e55be750b02093ce202a9365d77a5578e01ed75c8f156db0c4d8877d8bba5f3b26bf675dc9aad6c33523ef896fd98b3147

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a4976519439254ea7f40d9c8aaf3b42e

SHA1
f42b2f977c2498a9705bfc337d90fd79495d79fc

SHA256
b0395474d847b8729864e79346792aba77996fb847fc8a146d609fd2a8500cfb

SHA512
2385470d6fd19a170c89eff3a2462ff0960724e6716bd7e432cee56cd811c306775cbfa7b118de5d41779f59663469320a0b8c07267be807280d3a050ea735ad

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
21a653f5da8c7b13d9a41277a03613d6

SHA1
b30699a9745f64328ff6cb0541244d5dff6c6e9a

SHA256
2b35f2e39759607412dfe4f5d934d0caf69eb96a39c3601ffc86e74bc726b1d6

SHA512
b38cbaae8eb5a2c944f144461424be3f57a42403ff83e2ade7522302e6d0c6cb1896ce2a1b8b40fd1d7c48128ad64a1fe689f7feae8e48643b80b23fffde8ee8

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
b850765b8c14581ce7f530af5f2fbd51

SHA1
880e465cdefe80f5ca4000b58a3b10cd5b37cd0c

SHA256
5d581c2884941148c835ca3ebe16c7389b8d2428904d3c506acff241bfab377b

SHA512
5eda1bb561fa4b024e82f471588102bb802435b937ff76f7ef5f5f3b3b8b623c88c32bfeb1b1c2acfeb907b97627ab0310be62be5e33253e826e86f5da0edd42

Download Submit
C:\ProgramData\Synaptics\RCX196.tmp

Filesize
1.1MB

MD5
8637c10cd4c0d9fd2e12bae1fa414744

SHA1
ca4cf0db8b5583a62c716b58a09fc03bdd048b46

SHA256
ee9aa3d4c0924658245ff692c959e727095e7b6d240723e95d487fd35e7dc465

SHA512
8ff8ff32154783e91d4311c44aeb31cc3b991edd311f41575d606bc41aaaacfbcbe3c79f41e15b1ef4c43a06989cbc52500406984a9c45217527202c03109129

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.8MB

MD5
1576704e399b587ffd5d1564e7178ff8

SHA1
a60baa1bc8f2daf499665a6355ba6808635b493c

SHA256
38037a62d0c46dfbaca23759b5433c5e8dbe9cb7ad47e5963d94a5643dc7c52b

SHA512
a7ecd2a0f2bad64ff7e5729082a2abf55c30d17f6d5af808dfa87cc7cf82999ec028fe97bca45d65ae875b34bae9fc7f3d569414b1ec46d19865f33dde197dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe

Filesize
6.8MB

MD5
bbe1b46695dbc8b5bb99969c8d915d8a

SHA1
30b38d6d1ab7c9fda36d23f6d0bcb668dde1b254

SHA256
f856d73b9078a6a18d9c50f55b16dfcef5bb278424a4c8f72a7b67913eeefcf7

SHA512
993edc8dbb70d1a8a71dadbc82ad94b22b708219130c53538cddaebbc10d1c3f85f598ee399213ba60dec692c652e9f5af569c8d8402ef80d924a839d533c1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

Filesize
5.7MB

MD5
acfeda55223b058a95094e4047d3b5f9

SHA1
4758a8a86ae2ee6bd0d56a9254b36271566aadf1

SHA256
a22463029d4c18618922556ce2ad23f9a61795290613c98d49de9a0db768ba0b

SHA512
3f33580f48cc5730199cf212e2927b148f00d297ce5f214998033160659bd33150928aceadf5a62eef32e2cb4cf34d8eab0c87ecc2b33fe42c8bc65f863c9654

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

Filesize
4.6MB

MD5
54ec840ae8ecb0c3abc96bc50cf886a1

SHA1
e90ae1c7886db62318af734c5911c6ba5eb0fdfa

SHA256
852c217c413da3c3315794d70fcc1e1425249dddc234ef2edfc5c3c71911cac0

SHA512
9ef7dc6b110180b1a76ad48ecb0a4c788e9a208e4997524f0d1bd682cf043a94d996cd0546096ec01750385b08e0445349cf4a265e126f04d68e5b74d1e692f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

Filesize
6.8MB

MD5
e40995354682a246840f3fd61e329608

SHA1
daa2a1c48fda9688e5c4f8b9ca9289cbfc587afa

SHA256
489282f083bb6bf1fa87e0b92b810bd68509ee560517161eae4566740fcfcfaf

SHA512
f8327e2d8ef841fed3320092cd79a896b7e593d36875e285dfcf501e37a8ad8522b19b4384bc35eef39f208cbb8cf8e6731b8a381294f9738b5e6bf601585d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

Filesize
5.7MB

MD5
96a70eb42fa76634bd69c9f0f82b25c7

SHA1
c6e6b091e64bb8c98d378730af947460baefc97e

SHA256
e79d0c82d37bf9f1b1753d9ce2357550aea1e324fa6333ff11e739f2b9ce5d7d

SHA512
bb64848def728f6e9da0addd5e7b824523fcbbefff77303e648f85e610e70bca4352efb691087f706d562edaa1e877a45c3623eb87950ecdba64704b2a63eede

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

Filesize
4.5MB

MD5
79c559f6641ce4d482beaa9d9f4751bd

SHA1
cd5e7c32eb235ca8123048036cd564459a3a8c0e

SHA256
43e0e627cf0e99635119a27b2eede952636970775eab3d62d9b29cbb1cf83af6

SHA512
bf909d29652bc52f81a310cca45a2778d067af8a815f860b158a6404bad4e945cc3265516f9265e0be39c48d54442e8df724ede0ebaa0d99509159e5d7b3c003

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2411242101179452876.dll

Filesize
5.2MB

MD5
979c350a591b0be4cc8def3fb1ac84b4

SHA1
398a17f8c20e5562e4a639df77fe26342a29e87f

SHA256
8cda9e98bc8de227311316d3128d55813b85ebb47d31b9eb628a0831ce8c7a08

SHA512
eee2470bcbec5716eb15068dce5b027e09898468c30e5c78ce0e92ea3ad9b04ef5421e1ee8d33d9d52221e286d802ac9495b22b577e85cdfdb20c8e414aed0ba

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
b42f2603883dadf133cee3ae5d767bb2

SHA1
dc4161551044405353e870b029afff27c8030e22

SHA256
998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

SHA512
a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8e4bd9619c227ef2bc20a2cb2aa55e7b

SHA1
a6214b7678b83c4db74b210625b4812300df3a74

SHA256
84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

SHA512
12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
4e125c05c3c52106512082f82aac0717

SHA1
8505fb21e0058418415b73921e4d5d872c4485e1

SHA256
d450a68cb3fc838b7658dc7d0c0ebe239a29285410b1af7b76497779d23f27c2

SHA512
3d6caa724b358829dca51623e9cbf6cca72512e19d027b0f72296fa20ffa47f31f24d72b45cb5d5fb767756a5a5469bae66dbca94d97f1e33ca134d1f080323a

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
043c42847e0ef63834b6a11438ffbe47

SHA1
e9c3668f9f3120846d734ecc267eb1506c1bfad6

SHA256
b05c3f4f45330685414a7c36e192ff16060e4bdccdadf09ed1eccc3ab249a0b8

SHA512
e9e572a557eb3b97941c3090af8c093afa9ef89afb342454c64e675f8094278d8f0f9872504127e5cb6782567a8d63cd5ecbbc309e9e29574011d9c894d85fae

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
c958892f56d8622631a8816ad56c5aff

SHA1
711a393a350dc3714c392b3508b7e4f00d0d6579

SHA256
c9b749b84cb69a49505a20005d0763ea651cf839b51f24f46650cfb16ceaa420

SHA512
bf083d1ad37047b68cbd370afe27987cb61f2876527a174b82e2837aeac70012af4b9f6cc49f5b6515fd582c45d87c9e54793d18fa114e396320b6e8582407f1

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
7fc6761ca71bceb933fcfe06864aac5e

SHA1
40b2c8e82eec845ef471ae1f23bf5896cf0c1c9e

SHA256
b4d5b800b790653e9871caaac9cbca146fd45f3970fb3e87ded38cfe77c0f935

SHA512
a4564d46809f834c18ba2ca60d44eb78b4c76666346ae980e601343a9c026f5146ce55defb70feee88a85da9c7c067bce7e21e1e525392da3bd1f3ef6d38d350

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
19feeebcfb818724752cc00ce9d2bd1b

SHA1
56d62cba9ffc38997c7cb637f0f365d899ba8f27

SHA256
abcd71656c9b90220c118e6fb8e334d78e5f2ea0f02ddf64bd3f9d8f503539f0

SHA512
cb23aca213be3da84ca0a5e254f750c60fa9b16a10e8b94f659aecbd837afad945671c525d55d476ac1c9be9df0628c6b9b78c85fe61e06185d6e5b81de85898

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
f6e2c0c8eb37785a56a9c3b9f1dcf717

SHA1
b7047852a0997d98e9f875ca28e1988605ea2443

SHA256
63f19301acf5354d639bc20c8b60f95780404c0e1a7010ddbf7d6ad1b3dd5985

SHA512
bb3c421231d1f8e4b6b784ef170ef1a804bd692fe7a3ef07f4810c4fa876049b6f66d4aaf7235e16b39e887e48480e907a97a46fad7e0a371101729e9ce4c1fc

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\47ab2ff6563ef11e23c616d6562686dec33d49f8ad7850469be9d454dfb4c456N.exe

Filesize
7.9MB

MD5
31157ebbf68507996bc2e48aa53f3184

SHA1
45ce9ca220a59d9ff7b0b7b6a2bcfe30e2881616

SHA256
55ea7ef8eccce1011d6f7e62527525028294a29bbdd561d96aa6adf80ddf1a12

SHA512
39001566173c67f3958a428eb9aa33024096176af9059643339263d01613e6ba2d463ec5cad6ddfc6a6bcbc710828f550fde1a48d9f9d744935a7c1366bf66e7

Download Submit
memory/300-459-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/448-355-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/556-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/668-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-389-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/828-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1248-507-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1276-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-247-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/1488-495-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/1508-206-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1524-476-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1644-420-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-520-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-390-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/1736-529-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-187-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-494-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/1776-511-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-612-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-450-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-98-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-373-0x0000000000400000-0x0000000000AD1000-memory.dmp

Filesize
6.8MB

Download
memory/2000-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2004-481-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-65-0x0000000000400000-0x0000000000AD1000-memory.dmp

Filesize
6.8MB

Download
memory/2116-468-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2212-400-0x0000000001E10000-0x00000000023CB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-526-0x0000000001E10000-0x00000000023CB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-506-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2280-478-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-448-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2296-483-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2304-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2328-110-0x0000000000400000-0x0000000000BF2000-memory.dmp

Filesize
7.9MB

Download
memory/2328-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2364-528-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-298-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-287-0x0000000000400000-0x0000000000AD1000-memory.dmp

Filesize
6.8MB

Download
memory/2532-297-0x0000000001D50000-0x000000000230B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-348-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2592-383-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/2640-434-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2672-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-192-0x0000000000400000-0x0000000000BF2000-memory.dmp

Filesize
7.9MB

Download
memory/2676-246-0x0000000000400000-0x0000000000BF2000-memory.dmp

Filesize
7.9MB

Download
memory/2684-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-560-0x0000000001D50000-0x000000000230B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-510-0x0000000001D50000-0x000000000230B000-memory.dmp

Filesize
5.7MB

Download
memory/2748-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-460-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-553-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-623-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2868-456-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-401-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-595-0x00000000002D0000-0x000000000088B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2908-552-0x0000000001DD0000-0x000000000238B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-573-0x0000000001DD0000-0x000000000238B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads