neshta | fa04330d160ca5c7c72acbd25728e57bdfc434ca4e3b543b73542e3ea8ddd604

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
Size

324KB
MD5

a16a1326190655f327850b89d59080d9
SHA1

d47bc9d82053e69cd125b6209d206230ed4a4e4c
SHA256

fa04330d160ca5c7c72acbd25728e57bdfc434ca4e3b543b73542e3ea8ddd604
SHA512

77c17a2ccb8507dd12f04c77174437dd83b6de5e5408c9ded2bbdfd1b1317a03c2b8211bceff7e234d9113753b2442c050ed59b924727c293dbfc2e6ecfc543a
SSDEEP

6144:7jktq8QVV/Bi84xKmiuBzSyYPXetqEaq7HgbAqM0ZNvfzDVlGLF:7MsVV/BB4xKmKPuIEakHgbAYNjiL

Score

10^/10

neshta defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 43 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023be6-5.dat	family_neshta
behavioral2/files/0x0008000000023c8e-23.dat	family_neshta
behavioral2/memory/1936-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020216-34.dat	family_neshta
behavioral2/files/0x00010000000202a7-43.dat	family_neshta
behavioral2/files/0x000100000002152f-54.dat	family_neshta
behavioral2/files/0x00010000000214d8-60.dat	family_neshta
behavioral2/files/0x00010000000214d9-61.dat	family_neshta
behavioral2/files/0x00010000000214da-66.dat	family_neshta
behavioral2/files/0x0001000000022f2e-68.dat	family_neshta
behavioral2/files/0x0001000000022f6c-73.dat	family_neshta
behavioral2/files/0x0001000000022f6d-78.dat	family_neshta
behavioral2/files/0x0001000000022f6b-80.dat	family_neshta
behavioral2/files/0x0001000000016856-87.dat	family_neshta
behavioral2/files/0x0001000000016916-115.dat	family_neshta
behavioral2/files/0x000100000001691a-120.dat	family_neshta
behavioral2/files/0x0001000000016918-124.dat	family_neshta
behavioral2/files/0x0001000000022e68-127.dat	family_neshta
behavioral2/memory/680-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000001e5d1-134.dat	family_neshta
behavioral2/files/0x000500000001e8c0-142.dat	family_neshta
behavioral2/files/0x00010000000167c2-98.dat	family_neshta
behavioral2/files/0x00010000000167e9-95.dat	family_neshta
behavioral2/files/0x000100000002273d-148.dat	family_neshta
behavioral2/files/0x00020000000215ca-153.dat	family_neshta
behavioral2/files/0x000200000000072d-152.dat	family_neshta
behavioral2/files/0x000b00000001ee08-164.dat	family_neshta
behavioral2/files/0x000a00000001e806-163.dat	family_neshta
behavioral2/files/0x000b00000001e614-161.dat	family_neshta
behavioral2/files/0x000e00000001f3c7-159.dat	family_neshta
behavioral2/files/0x000400000001e6aa-157.dat	family_neshta
behavioral2/files/0x000300000001e8c7-156.dat	family_neshta
behavioral2/files/0x000300000001e876-154.dat	family_neshta
behavioral2/memory/4804-165-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-166-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-167-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-168-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-169-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-170-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-171-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-172-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe

Executes dropped EXE 6 IoCs

pid	Process
4804	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
2324	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
4548	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
1936	svchost.com
1756	135~1.EXE
680	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\Windows\svchost.com	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4804	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	85
PID 5000 wrote to memory of 4804	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	85
PID 5000 wrote to memory of 4804	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	85
PID 5000 wrote to memory of 2324	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	86
PID 5000 wrote to memory of 2324	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	86
PID 5000 wrote to memory of 2324	5000	a16a1326190655f327850b89d59080d9_JaffaCakes118.exe	86
PID 4804 wrote to memory of 4548	4804	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	87
PID 4804 wrote to memory of 4548	4804	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	87
PID 4804 wrote to memory of 4548	4804	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	87
PID 2324 wrote to memory of 1936	2324	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	88
PID 2324 wrote to memory of 1936	2324	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	88
PID 2324 wrote to memory of 1936	2324	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	88
PID 1936 wrote to memory of 1756	1936	svchost.com	89
PID 1936 wrote to memory of 1756	1936	svchost.com	89
PID 1936 wrote to memory of 1756	1936	svchost.com	89
PID 4548 wrote to memory of 680	4548	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	92
PID 4548 wrote to memory of 680	4548	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	92
PID 4548 wrote to memory of 680	4548	Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe	92
PID 680 wrote to memory of 3108	680	svchost.com	93
PID 680 wrote to memory of 3108	680	svchost.com	93
PID 680 wrote to memory of 3108	680	svchost.com	93

C:\Users\Admin\AppData\Local\Temp\a16a1326190655f327850b89d59080d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a16a1326190655f327850b89d59080d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
  "C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe" >> NUL
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe >> NUL
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
- C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe
  "C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\135~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\135~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\135~1.EXE
      4⤵
      Executes dropped EXE
      PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
294KB

MD5
19a6299fafd5618493c4c402f0d00e4b

SHA1
aa0cad92bcae14fcaf147ae53d493bfb8b5532c0

SHA256
5b4513c5c3610d54219bde05c4cb026d667ccf3836bda42fb31b0129beed6f0a

SHA512
1a9dad1dcd3fe9d00d335f39bfc4bab2e520c3625d20d7dbbc59ff2966591d11544778cfd48d8bb63987b1a65b51b258c3be98adee127cfd91c81e1bd09220c6

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
595KB

MD5
5ded80b3298448f200875c533dc7f578

SHA1
fc366ef472dd3bfa49a0cf9f28bd2cfd4177afdd

SHA256
ee2236d13bbde89936decef22282b8378ac56610b90749944baa3a690d7acb5b

SHA512
a7dafb5d868b56d43e3eadfdb7deea44ad418e966ec9cbe073d13c5a2fedfe366faa5fbd796a84e3e1c1b9a408960ed2d2bcd179785c4b6c5a377a3a83105c42

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
64c5c00694478ff090e483eebcd3d7a1

SHA1
af47eaff535970e6178c1bc29a6eb68b874dcfe8

SHA256
a9884e9141ca6f3d5f9a4fe781b104064f3b801d81263058f23b079c945a12f3

SHA512
4df0b6e2f215ef1dd206e9c14eb233e6896ad9b846290edb344947db8f9bcaec5c39777c9dac33aee85433ed3178188c7622ba8ff0b4d2462a80820f338ca495

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
cdc455fa95578320bd27e0d89a7c9108

SHA1
60cde78a74e4943f349f1999be3b6fc3c19ab268

SHA256
d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9

SHA512
35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
473KB

MD5
5d881df1fc70b133aa7d0a57d5c18109

SHA1
c2b6649f9abd5a779e540c6055e16de04795cdf4

SHA256
54974563c688cd0005c9fea093ee6489364263ce67227e2d9c76952b542c644b

SHA512
28cca31a4d49afef090d284cb60fa0ac0d8122a92cbc32ff333a661e53952425fb410deb7296bbb245443e16ecce5b1e3759e53acc83e323dc155cc13bba4a06

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE

Filesize
201KB

MD5
c7f7803a2032d0d942340cfebba0a42c

SHA1
578062d0707e753ab58875fb3a52c23e6fe2adf6

SHA256
0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb

SHA512
48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
da18586b25e72ff40c0f24da690a2edc

SHA1
27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5

SHA256
67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e

SHA512
3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
23b1708cd5e7409832fe36f125844e7a

SHA1
39ec7d4322cf4ccea82ee65343d05459c5eb3f3e

SHA256
03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f

SHA512
d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
c0ac85794f04cb1648989075e6dfa55c

SHA1
c4e2ae9b72b40cd2eca4a178400c3832ad1df89e

SHA256
a62f88cb577ffe115d6b712dc4c559d5b9852f055ebbab092fda223b5e0dd046

SHA512
ef2f2a9b04e20a0dc7f5f088119d0f6e32801948e11f7f7a05e1e80c0e4313b6faa2527e4e8f15f878219e593ee0afc8350ade9094beae4a0c1f5107e2cf6a15

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
be885b2a881f00dfb801afd8c4f8b0e4

SHA1
b8b8f6ed9aea73e7aa171d6c2bc3865333152030

SHA256
efaab0fbd8998d6c25f4073e76482c01f60b64bd015b11f18893283762ef44d6

SHA512
f5066b84b731022592d7a1d762f7501d6d25b94ca22ac6e8bde42de06fd2e9f2354f0d2c5a415ea10507ac304d7b89da85a8cb311c0a07c7b8f1dfd96cd6a2fa

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
691KB

MD5
bdcc4b493753298275c453c6edc93e19

SHA1
dd0bdf5e996808d2e6de46551e7709482984c40c

SHA256
13e5b58fe047df19aecb0823111e2c04ac8ae2106f865c1b3af979bbc0b9cecc

SHA512
4bbba6af80aa2211a1b86cc3f6571f01a294dd0f8e8e4542029d7289cd21137f4c4dff840cf79839e12b083063d2db6b74a175123746c38bf08695b2843ae458

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

Filesize
293KB

MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Filesize
195KB

MD5
3fe4432f457ba9b0b99d6922de2bdbb9

SHA1
31bef418a04a951412f28a9a46202bcc679085e5

SHA256
1906b7b9f548afea19fc38eee37248be4656dbdd8a5fe37f78d9587cbb61e683

SHA512
f9c50a0361482fb4a3a1fca86ee1b72427dc31cd876849e39b3a76f85785c2eb62a18696c384bd81b57681a012f916a9cacba83f740a78b7221c891bb6f893b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
4b6e985cfb30d84c08b5127dff3efa7e

SHA1
6578bf9b4874f587c7951843d4d0fb7c8b48f820

SHA256
36c48b0b35e8add760bade4f121467940a86810bf9ec77afba96fd0a92b95201

SHA512
f2322156d2c94263a3013abbf79b5671c56b9dcdc8bc315853359cbc89c640f9ecc55f0bb97a4dd5916e1f395b223191208fe2efe2de720d786550b72cbc8e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ëîãèí ïàðîëü ïî÷òà ñåêðåòêà îò ïåðñà 135óð ðàçáîéêà.exe

Filesize
235KB

MD5
f88cae88bfeb942f5aee73584bc19fe1

SHA1
afba079c5264c9c04fcb6d94b68c1b6b28b38dd7

SHA256
95dcc64cff82520063679011ad47a05ae8067d096737097165259f5eb59e864d

SHA512
02732114c65713b9678103ff6d8400d6c9f075d799c14520a183098eb5043834390d90e48f19521ff8f7b58be33315d72f1712733c93f23d836caad70e30b00b

Download Submit
C:\Windows\directx.sys

Filesize
129B

MD5
7ea657c84536238e2f4ce92b1ae3bd26

SHA1
2e479fbdf0f3142696d032ab9e60fb146a9b5e28

SHA256
6bff78507caa62f3e7a6ab0e332bb463307d14db245d0faf98fe39b32150dde8

SHA512
35dbc9c24fdb3ea8291add44921f74263f004e56677e885711996ac5d31a77a179baad0506bf4ea7b5223c42fe1080589669d26374c5857d814a7f5c0630fc85

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
e98eaf745be5c638c0273bdf5535c9de

SHA1
aa09f250899b1b56144d2b8fa92d091ae53b3f96

SHA256
9782abec73716aec140bc8df64d014a93f1ffdb2e88a878ce81ffd6adaadd4f2

SHA512
ba9a0eb140ded6561be35ebc987937e587a9b8ad76793d418cc4e4eaa7112a1619b6c8c3e395c352dd688ce905d5410c736e3b39d052c3d50ef8bdf76acd7f4a

Download Submit
memory/680-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1756-28-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1936-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-166-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4548-20-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4548-105-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4804-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-165-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5000-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5000-16-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads