neshta | b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
Size

1.2MB
MD5

8fbcc3f3038677646fb2e8838d48f14a
SHA1

ffc3b09143e7e4322c1effee531329be6d104229
SHA256

b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2
SHA512

91cf9d10d6aae9f70323cc1e136b4b6fc5e281c06af5c374cdcb2334b084f45b7abc5b1507bd08ed56bac62766d9eb39168dd409d8bb53ac9ed93ed8e1612b91
SSDEEP

24576:TJ39LyjbJkQFMhmC+6GD9JA+vSoqYAQmZoftn8ln9:THyjtk2MYC5GDfBqoqYFm098n9

Score

10^/10

neshta xred backdoor discovery macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 31 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-13.dat	family_neshta
behavioral1/files/0x00080000000162e4-9.dat	family_neshta
behavioral1/files/0x00080000000164de-20.dat	family_neshta
behavioral1/files/0x0013000000010321-41.dat	family_neshta
behavioral1/files/0x000f00000001033a-40.dat	family_neshta
behavioral1/files/0x0008000000016399-39.dat	family_neshta
behavioral1/files/0x0001000000010312-42.dat	family_neshta
behavioral1/memory/2992-60-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/772-59-0x0000000000400000-0x0000000000531000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f776-63.dat	family_neshta
behavioral1/memory/1992-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1056-134-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010f95-149.dat	family_neshta
behavioral1/files/0x0001000000011906-153.dat	family_neshta
behavioral1/files/0x0002000000011080-157.dat	family_neshta
behavioral1/files/0x0001000000011b1f-160.dat	family_neshta
behavioral1/files/0x0003000000005ab6-184.dat	family_neshta
behavioral1/files/0x0004000000005725-207.dat	family_neshta
behavioral1/files/0x000b000000005986-214.dat	family_neshta
behavioral1/files/0x000d0000000056d3-213.dat	family_neshta
behavioral1/files/0x000300000000e6f5-209.dat	family_neshta
behavioral1/files/0x00050000000055df-208.dat	family_neshta
behavioral1/memory/3044-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2748-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-290-0x0000000000400000-0x0000000000531000-memory.dmp	family_neshta
behavioral1/memory/3044-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-293-0x0000000000400000-0x0000000000531000-memory.dmp	family_neshta
behavioral1/memory/2748-292-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2748-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3044-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-328-0x0000000000400000-0x0000000000531000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000e000000018683-237.dat

Executes dropped EXE 8 IoCs

pid	Process
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2992	svchost.com
304	_CACHE~1.EXE
2600	Synaptics.exe
1992	._cache_Synaptics.exe
1056	svchost.com
1976	_CACHE~1.EXE

Loads dropped DLL 18 IoCs

pid	Process
3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2992	svchost.com
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2600	Synaptics.exe
2600	Synaptics.exe
2600	Synaptics.exe
1056	svchost.com
3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\Windows\svchost.com	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
532	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
532	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 772	3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	30
PID 3044 wrote to memory of 772	3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	30
PID 3044 wrote to memory of 772	3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	30
PID 3044 wrote to memory of 772	3044	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	30
PID 772 wrote to memory of 2748	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	31
PID 772 wrote to memory of 2748	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	31
PID 772 wrote to memory of 2748	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	31
PID 772 wrote to memory of 2748	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	31
PID 2748 wrote to memory of 2992	2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	32
PID 2748 wrote to memory of 2992	2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	32
PID 2748 wrote to memory of 2992	2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	32
PID 2748 wrote to memory of 2992	2748	._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	32
PID 2992 wrote to memory of 304	2992	svchost.com	33
PID 2992 wrote to memory of 304	2992	svchost.com	33
PID 2992 wrote to memory of 304	2992	svchost.com	33
PID 2992 wrote to memory of 304	2992	svchost.com	33
PID 772 wrote to memory of 2600	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	34
PID 772 wrote to memory of 2600	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	34
PID 772 wrote to memory of 2600	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	34
PID 772 wrote to memory of 2600	772	b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe	34
PID 2600 wrote to memory of 1992	2600	Synaptics.exe	35
PID 2600 wrote to memory of 1992	2600	Synaptics.exe	35
PID 2600 wrote to memory of 1992	2600	Synaptics.exe	35
PID 2600 wrote to memory of 1992	2600	Synaptics.exe	35
PID 1992 wrote to memory of 1056	1992	._cache_Synaptics.exe	37
PID 1992 wrote to memory of 1056	1992	._cache_Synaptics.exe	37
PID 1992 wrote to memory of 1056	1992	._cache_Synaptics.exe	37
PID 1992 wrote to memory of 1056	1992	._cache_Synaptics.exe	37
PID 1056 wrote to memory of 1976	1056	svchost.com	38
PID 1056 wrote to memory of 1976	1056	svchost.com	38
PID 1056 wrote to memory of 1976	1056	svchost.com	38
PID 1056 wrote to memory of 1976	1056	svchost.com	38

C:\Users\Admin\AppData\Local\Temp\b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
"C:\Users\Admin\AppData\Local\Temp\b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\3582-490\b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:304
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

Filesize
127KB

MD5
154b891ad580307b09612e413a0e65ac

SHA1
fc900c7853261253b6e9f86335ea8d8ad10c1c60

SHA256
8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

SHA512
39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE

Filesize
262KB

MD5
2d1b4a44f1f9046d9d28e7e70253b31d

SHA1
6ab152d17c2e8a169956f3a61ea13460d495d55e

SHA256
d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

SHA512
dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE

Filesize
3.7MB

MD5
190f86b158c5af4624b30b70e4f98fa6

SHA1
6d2304a5a3b7503c3600f79d0657fa6ca2232e14

SHA256
443c2ef79c5df0b1ce3c2c180078dd423dee18f7d9decf16b3896f9cdae213f1

SHA512
e1a4bc4669f24da0608c51551ed1d62407d6466be04b4ff12228b067503ab55660f27a55d9e865571a49b8344aee49ac762e314db7f4411a5a01d73e7c15ca0b

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
c19656d84c609115af1f4cd9b45716be

SHA1
554522e1eafe3521e83de781e4bd04b8688f24db

SHA256
319ac5343388b78dd7edcdb2ed6a0c5080593f43bda1acbfd80cd2e390fe6fb5

SHA512
6ace4663cf43ace753599d36bf3541ea6e8913952d90719ae489f393678a51fea7ec70cddea6a6ab4c45ed146b93bfc964e3c82d6bd80b281a6955f2fb8a6167

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
f37059ff5298f91aa09efc2b9e9e0f82

SHA1
20e9046ad7e27cacd549a1cf3f4cee6488f1c9c9

SHA256
8c1e7b048883e735399b83cb87fdde347b22ea1a5fa2b6ca02fb08d6a242d14e

SHA512
72f7b12d5981d9541d91e540ae6d7f9ed3fbfd90a38d97a95adb4c86cf8fe218077d6ce0011be9694ee4bfe8f50ae2d6e754fa82d7de396cd767a417f3a4ac21

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Filesize
1.2MB

MD5
7d02f09110ad1df45ef14e7a05571d47

SHA1
07b378f5b8fc29af81e6eae984d4fd515a8a5ffb

SHA256
cc08d15b67fcc5ed8b92f3360e06e9cf229da6ecb0a887f9ae90243e3288692f

SHA512
388fe85b90b5641d8d1ac5219fc046a571dce944308ac24dd8f1580e121845d8145de42d35152124ade532ac86795e5bc7532272783b940a62058e78d0b60213

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
21KB

MD5
09bbc17e1685372597bbdc6a1254b547

SHA1
f35e125a8b24e3ab5af3dd2855a476b47b0a334e

SHA256
02cdfd84e979f41d3111105e0b38d56199b96c8d5c93bb722996fef6b53c6779

SHA512
4f853b8f679409865d70e4b52df52bed1a85f01db20bed625346316b03266c10ed8e67ab6c3f7e3f694af8ad2a29dbc30535de29eda09eb484c56ca867458e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
22KB

MD5
893c1baad9aef1b4d536b81faa7390fb

SHA1
fe7d45c3ea273617e96b7122953a48e60209cc6e

SHA256
d2c326905e6623a790a0466dcb88bb9a2b53c3846e8fc66e6717a55a72c7ec7e

SHA512
79d4efc5616524d1c851524fb0c240b178c0e6cec54ea26a9a8c8a92bf75769d4de2b71a4a9a037e86ad4011dbc188c89a886e3680bed6deaee1a2b23b6933de

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
23KB

MD5
792fb7f7b726d715176306be49d377fd

SHA1
13a9a1efa4015db4e30e46df1777dfb43639c793

SHA256
6cfde77c85b7b197adfb32e22c7f03a48872d23760d73837887069d312761954

SHA512
af8a29abe280b15c5c884b8cc1e8c8dfee62c7e8d9ae72499613ce695d1c07b3dc56276d47f35dc1ae7476fbe134ad72c5d3a5b68435b5e7c37091daf034eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
22KB

MD5
5e66b6d21e3aa4ac8ba6ff4eb0dc85e8

SHA1
06dd73c02ed531ec5e9dc54c0b18ede46e83e8d2

SHA256
b70f2b51e3c1a12b23db791bbcf3a7cfdf93ece277e161dd8b531cd1ee83b087

SHA512
e3804795d9c5ec200846b64356af163c47c323f3f365eeecd4f50d78c60be3c0bf8c6d48b45d3db02004fdce7033c22828cc608972b25026df9e70a622e4df0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
24KB

MD5
3770dc0f1835767906a5254a631e5eda

SHA1
ad92dff7494d9f4d559b7decca669e056c0ad8b7

SHA256
ca1eebc643b5dfbaa4c459c0e9e502c967bea2f2f281bee697e0f4451886670b

SHA512
fa02164b79cb95ecee909ddac8e33c256ffc8e2485243177ddd4dd8b9757a6d0231a1a68e57b472e448f01c87f04a81543d2023b814ceb12877ca0e60f074c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHoKO9xe.xlsm

Filesize
25KB

MD5
3b23a18a96284b70e7143deff621c2cc

SHA1
da2bd055c3d43d88a4a99f65b64f25174c251183

SHA256
abdabd89767de2206f6d45482936f76e94ce77d2a7674deca1e9fe4a705ab233

SHA512
4d5fb03d5468100dd0e72d55d113d9738ae00dbbb7c9ef09bcff5a52264ee18403e24e32199152589c839e66eda2cb8a48e23ab79ddccdbcc49e67255dd90f53

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96fa94e75dd3ade9c2201d83314bbc17

SHA1
8d0e91a6777254d68952a80c30c20997a9b2ff8d

SHA256
077c20206294b2750921cfcbbb8b0a0c22303d07412acb090f20f24e8df7438d

SHA512
92abd34d9627427c2201535394ac423823000d114639076220465c547c90e09905151e6470c76d2ae0f27f8c71f9b089c0b93584ee6910ae2ab5641fc2c2b724

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_b526d210f800d1d9a2f466224a977343d59f679eaaf16b9bcda4d5196d810de2.exe

Filesize
450KB

MD5
be8371a4c3fb5afb6bd91a44e3a54739

SHA1
5b60f0e56b16bad98c37851d98e7623e43ca7b5e

SHA256
4f603bf5e6a8d1fa2b0df6cc37fd13e55bd13029f46709c70369d669f2604324

SHA512
cfced0b29d017f929456da4b7061a84aea657838f43dd801fdc9a4c8b30c3b9a974780ea03b4de3537e8987bcac0efc87f795420f5bc6ada4425d29b5f6742be

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

Filesize
410KB

MD5
a6d666dec7754bb7de0dc848f17ea7de

SHA1
884156c2d0aab42ccdcf9bb62b9f6b607f115838

SHA256
8abd2e44b28a87912dd7e5f2df8e306aa44b690807edc2c136a6818115252252

SHA512
f7863009ebdf92db41081dd5e9b454669f8ffd11c7eb230229f4d27153bfdb154609b04229bb9a033ffe65541fc778ed629016ccf30df728ae075ab2a08fc98f

Download Submit
memory/532-287-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/532-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/772-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/772-59-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1056-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1992-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-290-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2600-293-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2600-328-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2748-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads