neshta | 7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ce

Analysis

max time kernel
78s
max time network
80s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
Size

6.3MB
MD5

faa36240cc539d9ddf4abe95597e11b0
SHA1

75743c04f46dc1dbde7f71b6085c02bb9b2f595e
SHA256

7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ce
SHA512

398e1dd1077aea64d32cdd4302c755db5a3d4bb378df2252464cc0e8adc690bed67b500beaa059ba102f4aef59e1151c28f4e1edd0cb9a95329d45b0478ce9e5
SSDEEP

98304:wLTvD2bEJn5MUQ+LmtH4XEWoVsUJiLNpF:8TvCDUNOEEWBxpF

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-18.dat	family_neshta
behavioral1/memory/2076-381-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2076-1520-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2076-1629-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 5 IoCs

pid	Process
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2324	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2744	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2788	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Loads dropped DLL 11 IoCs

pid	Process
2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2324	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2744	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2788	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened (read-only)	\??\D:	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened (read-only)	\??\F:	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened (read-only)	\??\D:	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d48f80c0e7565e4bb7fa4557e97cb92000000000020000000000106600000001000020000000d9fd4b21dfc8da047a0b35aa228205aa20981f0d88a7d58dda19cfcdef88d3c1000000000e80000000020000200000007b130da5f72dc23455b1e6eba9b47350b5a3e32eb7d3f06fe4c94e04a36292c59000000090e0fad4c370d0405a2074b9beaac3672483f43cdd6c66569ab105201b1d11e4e0aed25009dfe5ff98c507dcbd67bbf9f3adf066553b555bcfa059c9bcbde6d01db9f92592b655abcbaddc91a6c91987fce34f16a6353fad5dbeb4290d31bd96583d9295b82dba45499202cb530a47409f2e311328b819759c5d731bdb2e18ff5bf4e878e89fdd2d12edea88c748375740000000bf2d13894310c9bf32150c1c96c5cb3632c4088cf8efc7667342b1ced403e4a2389d9eed9841797357d1f22c34238354ed2542b4400719ffcebb9c6c72b7e535	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439256651"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f380a64644db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0B05441-B039-11EF-9BC7-EEF6AC92610E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d48f80c0e7565e4bb7fa4557e97cb9200000000002000000000010660000000100002000000065d45e27e9d37d2749207a5afc5b6b2467bf51bad71a878b0da169e23204b46b000000000e80000000020000200000003a42be8e3621cba59038bc67d9b8c7b0d180f8ea20c281313d1c2918ca81318620000000fa2d3f0a0791973b95208041ab2c4e33d54a091a927bea497a30b21a0476365640000000627c61f6899a42e99b20134b02962f4504eb477cb14c686f760a2ac123a70c5b0c6e99477a495769ce1964ab249c226c5cf9e9bf2b9ca2ec7dd1fe0f576f9727	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
2784	iexplore.exe
2784	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2088	2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	30
PID 2076 wrote to memory of 2088	2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	30
PID 2076 wrote to memory of 2088	2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	30
PID 2076 wrote to memory of 2088	2076	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	30
PID 2088 wrote to memory of 2324	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	31
PID 2088 wrote to memory of 2324	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	31
PID 2088 wrote to memory of 2324	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	31
PID 2088 wrote to memory of 2744	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	32
PID 2088 wrote to memory of 2744	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	32
PID 2088 wrote to memory of 2744	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	32
PID 2088 wrote to memory of 2620	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	35
PID 2088 wrote to memory of 2620	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	35
PID 2088 wrote to memory of 2620	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	35
PID 2620 wrote to memory of 2788	2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	36
PID 2620 wrote to memory of 2788	2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	36
PID 2620 wrote to memory of 2788	2620	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	36
PID 2088 wrote to memory of 2784	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	37
PID 2088 wrote to memory of 2784	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	37
PID 2088 wrote to memory of 2784	2088	7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe	37
PID 2784 wrote to memory of 2884	2784	iexplore.exe	38
PID 2784 wrote to memory of 2884	2784	iexplore.exe	38
PID 2784 wrote to memory of 2884	2784	iexplore.exe	38
PID 2784 wrote to memory of 2884	2784	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
"C:\Users\Admin\AppData\Local\Temp\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.80 --initial-client-data=0x174,0x178,0x17c,0x148,0x180,0x7fef59ea908,0x7fef59ea918,0x7fef59ea928
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2088 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241201231256" --session-guid=4ffd22a2-ce45-4765-8821-d147eedc82de --desktopshortcut=1 --wait-for-package --initial-proc-handle=5005000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.80 --initial-client-data=0x180,0x184,0x188,0x148,0x18c,0x7fef4eaa908,0x7fef4eaa918,0x7fef4eaa928
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fed6bde2910c01854d8b39c6af44875

SHA1
715d4713d54d6c4944f4dc2097a4e300d68fa00d

SHA256
3c6ce95026d924b5b84078a685c44706276da570efbb217160ef090b17ff7faf

SHA512
dcd8aeda05081e15c71009904ac942d73c84c0ef78032e2ef94ff64e8d46f46fa740fded1c94f4ed0438486c89720a5d608eb4bb2eb67d7f6603f147611d0857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b444a4ce96cab113671a4eb276416375

SHA1
be700a97e18a4b3cd4184884311be6bf6575ce8e

SHA256
c7c7757fce530266dcdbccde64d44677f4e42d7d529bee1176cd6cd4312cb281

SHA512
bac657d122d5b7f0ca2d4dbd8cfab90184d48a68029bf86f24c1b3ce85732c2e5fca2cad211899ffc60a7224ecda94c3f45b1b949a525489236191b9397be673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33360c5be3ab4b2be7f233959def5406

SHA1
4211303196ad08c9e39c863aac467d3e78246214

SHA256
79073396afa91ed5936343a49e5f852f9af753e95c724ff2418b94b177f3c7f0

SHA512
de11667b5a161f25a425c3445709f6aadca4f59a67cb5000891f66c8bea06629ff64709b274f1ad5a63f5166b287b66eba7caf2e805ca1d5ad33d2c3f0350ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb3d7e5c640d2ece83543841a801c918

SHA1
fe7ae8493dea9dd3f70203c45b93e4b5bcb7ef50

SHA256
66035f0f03810ef125e204206e26f1064ecf5494e5908a0aa0f203b557475e0d

SHA512
b993c11d4750b668ca5f56dc462d34257e73542231805d678d66681d555192cff40983a3f71f32fd353df34a059517823a80ab992c2afeaf21298ea8edff664e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
245f286e460af74695e61ece1547f2b3

SHA1
4fa9a5c011b2cf8146495379cb4c3fb75019f768

SHA256
dbeb67e337bdedad0b69cb39e8109ee9fc72228e1d53234afaac594e9a98dfa9

SHA512
dff8bdc56ca0897b85e67d10df0aa121a98cfcff16a595f04ac90fba416104ebc99f7aa07b4757644bde326021701bee1a3346ab97fa84839a9ea12089444bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d81aa1698a3edbe45fb42dd0ebdcae5b

SHA1
4011d109ab02df89158b28ae7f89067b3d7c4b0d

SHA256
d0208032f104a6553557da07607bf838ad2f43c091e6de1ce1618f596d7cf91f

SHA512
0e81832ddbe7e316a8c249c3915f9e718eb69b9e4357b2853c0763865bf4e06771c3dfb84ede597ce8ac1f5d0d3af97d62fdbc29ff24fa51f00f069922d02a0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60d77c326602c4789761fa05dfb617ec

SHA1
b1721189f840f59aeeaaad1a5dafe9bd002cafb8

SHA256
20da4d39e07b738cfc9bd04373cddc4d54476d27f2d3bed4bef6deff60b1613e

SHA512
304bd970e96446de21161c8280c70ff10bb672df2ac281a9273a4a5335fbffbc55a33a687b56dbbcfa958e26e6af047eadf9d63c43056b36f100f3a373d6175e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39cdb48fa68779cfc3cf0effc556f2a5

SHA1
d9f1416d38dca7c36bfd46ba4ce3ba152225e791

SHA256
be9935e50dd2764b6f4954846103c2e5e73c2e1802c7907c5f7f66cafa5b47c0

SHA512
abb2449a146fe41de6b6c68e7f2e3df3bb5c8fb4dab6a3217346f99eca9a27048823170e100d429b5ca8688d8031ea1bc16df5464820adfc14a1e21c7ba040de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0958a1640094c57f0ed15cbe969e5e28

SHA1
80d019a02a215b47827e52ec1bf0c964be08f69d

SHA256
6422429643398d8719a1f53ce21dbbde9fbfdfad351da60d0d044f17cca2985f

SHA512
b30b1564de40e2669f6e0c4e5a5779eb0005a2dc345b46556e6c8d62e1f38a149acfe153631b0a7bb72a03422e9b0bb7591bf9f0140487cbdf9b808d58373c47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2ad5be8e6c0ec67c54fc83dff4cd332

SHA1
72977697337200113c9190825ad0f601abe255e0

SHA256
d0e90b3d92437d271e2d0f72077220e9b969ce9c507b62636a76eb9418803d2b

SHA512
a7cef942ab81b204a046e1fd660b89562c8cfca89e14cae442425e97f8bff33199d22e1a5d904c254527b34a636d80f3c1beba268d27ee4993907300a6ae7337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1e4a9b5152ac98d621db10b94d034ac

SHA1
26244f6de1f630a995c9ec6012d004cec49a13cf

SHA256
869b12cf9507058d2f4ddc8b99d94f392d69d83401a8206bcc4a7ab844ed4a15

SHA512
f47a6f2023d7f5553bb369fa2cf8ddfb4cbee6f5ba1fd2a31040a58bd540f24cc87273615aa12e0778d45472144ec103e89b65ea0c2dd8843cce589bdab6f4be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabc01ffa0f74a8cce00263c738ebb7e

SHA1
ec1376486f086462e60164102860583ee2054f56

SHA256
4f15e3931321557fca33c5996921b8353df73d08bddcd83e3ce299740fde79bc

SHA512
f206f631fad7e022b3010ce15930302da1b06d2ec6da100f830175b947945149094f78bb48517e21123014075caa1e07c0fdb6f460132b3ad6d02b24a0811f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4368694f8d1bf8d9d8af1e8791fb789

SHA1
9d8733bbdccd7cb3e0968b90fc30d8911c718ddb

SHA256
8f90d086f5f3942fb9964d1ed5d819ed91a047b4e2b9a393469c80f970542968

SHA512
1df3ccfac459575fced1bae63d19f32286e5f11ee20d3306e9656135b35549bcc3a108c482238d8987ee129e2744101ff773e38a6c3864de9b63b1b9dce1133b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13f6abbdc2414ff7d25cec2bb422a371

SHA1
f32c5fc56cc2ffa9b4f3d16b785e078ce80cd74a

SHA256
acefa00c8b19e80a97311dd8a4ca73f469ed0661e6edb5125397fedc0fcd5633

SHA512
82b4697c232b75a55bbe9e6d18a8c0c877a1340ee39326c0f67404081e105a83ff612b08fd977d0b7545703ba80c8fc40baef619043956f519689a48158e2c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
713386c86f74d6c14705608097a9c5b0

SHA1
baa47a721ef144241f73fa133b04426953edc87d

SHA256
a2b67994ea0e2a72d13e09b04cc7a9c8fc4ca913d6b08deb65d11ab61178987f

SHA512
a1cb35dc1a78f2d1b667447576ca671bc3774f97dca8906dff1e52b8d98567a9ea9c04f2965b74ce7dacba608d65cfc2fc7c326d3835af44f5edd42005e298dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4152d456b9e2c5cd620db06f8fe25060

SHA1
34222ac4e1bc413fca60fa22ad1c03144f4c2a81

SHA256
b09c56e8a56247cb4457c3c813f0c1a3f006aa612b82afe75a512f76078af011

SHA512
3f8ce4e7f312af1a2b0f26a75eb5827ae267b85a3eeef8f122ad8c0a9c3aa0aa938d1bee94e3667a63b01081869366e9e4378afc1eca8d3108b70073efb27d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
194e39a434a53f82736a7eab83b0fc40

SHA1
fb380a18adbb4c59c188f26be646220e1df4d539

SHA256
f2aacde50c9dbc2e8cb0734e5133db70e5a2fbcde833234cf9223d6dc0f0d873

SHA512
bc91447b10cbc30d6ca529e0ce60dd966164354761c6492bd2d2ce2cb82fb9eea64fd5bae96582ef7d447b0e93e1eb0fd69174abc8e5d7d28dd3328fc86b4023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15a6a87067f21c38eb8ce20c0df151cf

SHA1
b77cfd492d4bd82c7c12ac394a3fc124371d9eaf

SHA256
d51feb6847c01597f3f5eb42720e6d2b51629e20830eec09051e5ac517dbbfda

SHA512
63ad753b8b45c9a805d9b37489d333164f132fb6885a77928369a9dee57b11b92c79dda0f120c4b9299db00ec153e8bc8f81dab97d001d74e8c097d55c4f7acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4413aeeae3745cdeb328816203aa2e9

SHA1
bafee6177b425cdba72d183ed7ea5f8970bb263c

SHA256
60ee4e7c5e70a87c209296fce792ffda1f46f91a863db5714c1e015105bab53e

SHA512
73b2b18f3a0a9486868b2ef93eea6cec5fbf978d17b8bfcefded23ac3d1746e6b5576ddb99ea4ede745dc0b60a39083cd07f36cf0452f2b2dc1cc870353a10a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f4fac6e99afb785163da554bd22618f

SHA1
103cd82b310e6b9643d92b73cf8868125b0d66c1

SHA256
886886c6a03b7c2ac5f7e60204be407c371035f12dd015251bcc9fbaf010e671

SHA512
d52199b17a558d4f4c960a1155ef0c05297606a0536e1879fd0e451a2aaac932164ddcacfe41c9e75837c230517faf7c93175b1618865c59e2ba9fb7d3f37527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be1253aed9cdfd45e5f5302153b50ace

SHA1
7ca48995aea399008cb7adb28ec2541ee880cb5e

SHA256
c63415cfd1c97c719a77e4e44f28beba271a52308813426551673e0e7f688d53

SHA512
20eab4d40ee7209d7b68e7b9fb1c4ed20c01cb7180492be5b2751fa26f0adb152a8f160340f5ba8565e9c42c1a7588b1c56080b776ab20442292ea8bef545748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8432b4a60df3c5f82d1e05fd9276fcbc

SHA1
22709377daaa89d69b9525bed0331888bc75e818

SHA256
5c27d6cd96d140e302f3ce0770ca94a125c8068e60cbda83a413849b097ced4d

SHA512
da89b0c860dfd9a3497f0609e4caad6196ee0e56fa555e40d7929810bda283feedd3f200140b6d72f8ab6b74fe96ba68f5289a45497a5a1717ab06d401284885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2cf091212a353e94df116e0cedc7515

SHA1
7329dfe9626fc581d4ad3a0e3e847dcffef2116c

SHA256
8be92bdbb994739ee29bdf827dcdeb18680ee3d5cc5d2fbcf70f75744c6da09a

SHA512
0cb556eec8851c86b5094e7f6e79802cd1bbeb1ac489507abb12636caf69de7436ce192eb1e2c752df7f10aa155bb150538685fcb8e293807cd7cc5d10cc197c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0177cda1bfa3a95f051025cb6aedf00

SHA1
de6dfe4a16d46ec18e2aae8607ae8fabd7820684

SHA256
8ac674e038f696013c7efb55f524e1777e39ca857cfc1c94e773a1fdf24a110e

SHA512
aeadc96fcab97ca2de5fa2c3b44510e065a1132526b0b7f8cf99e6e89ba3673b440fad9ca314b5ac7152c2325bd5ad981d7d3bf12c23e6aa03c522e9e849ad48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8d4601def9116942babc22f4c8df802

SHA1
2a699178b880799a8f3149069af46fdc1eda2433

SHA256
6bd43675c88dcc9eb09d703bd38d94f6541174875c4d3396fb10416fe698b0bb

SHA512
77eac993e29dc27f7e4692799bd6f24b7e038279a5a8963c0c4bb05021c6de478c72da116b6fb3634ab56d42c832601f1412f21712dc480569df548e4a55495e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c40d0c86040f882f0b0fd8640b616a1d

SHA1
ed4a70031ca577ffd0364616fd9dbc22778be44e

SHA256
e0d255aaee01bb3b106cd0a0324e8decd2f1cd30945f1d99cd430cf76b44833e

SHA512
311fc9d19e74f047ddc097fe31c0a338848e45f2d1f61ba0c344b9030ee7342ae5524bc8dcebdb3bf7b03dbedc349458e5550148ca3a5faded0591f201482c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66b7b74670f6c1d0c37b412a360d3db3

SHA1
28321995f34193e66449c4c3151c49c738ccd93c

SHA256
5510e3c1002ac4bc6b2cb2676821f83743fcda279868de560201e8b77704e7df

SHA512
b37ddb3d5bbfaa501a8aae045800d2acb59338581e6bb721922080647b1add518d530278dec4eadb9d2de9f985ed472640befb917f48467e64cae637ffa74fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8d216e2a565e62f6ff0f91945424524

SHA1
a610ebb3dc9b5bed0b8f44dc54c553b19ef47fbe

SHA256
97e96391cdf7e357d8f0baa5065ad68d7082e3374794663834e2532cf79f9d13

SHA512
4562b843f35d18d416c4ef37d8bc02a43b524ab478d6e7d85f587d6f3f572731edbc21b8cd183d72116e0bd0a0279b9ffe69739fc7bc4357999c441d0996d710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11d0ed23eec6d9298c3a3f6664f62098

SHA1
1ac6417d8ddd0b07f0c407bc13a4760b755ab69a

SHA256
f65da1bc4c84bec83935d97a99e7614265a80d797733ecd5410faef23357342f

SHA512
cd13efe093f60dcea249267a9b8f6042b541a6087de24bdeb78619c3a5caa86e616fc266c4eca746cb889f66c7b2f479334984f26f9c3e4506b0cd62397b333f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a8f4ddbcf6fef6eea5b83c7900c8ae

SHA1
dc01969ace1481656712004afa3c45300088b11e

SHA256
74cc9bb5cac6d373ddf93b025930c67f92f8fdebee44e15c0382a5cdafa4b76e

SHA512
8318da3b052299f0cf517584ed42eca979942b484dbf2f1985d26577a2009097ef5242c275b2f951ffc75a16846d64febede7c7599d94cee918fbe28bfa9b3dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b45344f88045d497a788a15f7a8dc199

SHA1
0ca459d2c76bacc2b700c5e3c165c915b40e1b7a

SHA256
5b86358b23853f581420439b6fac411b09a7f316e96edc252b144e29992c63df

SHA512
3abc728185ad67f6ebc615ac8c3c21e336077ac1fd2edb340ceaef097982d38ef96b00d4bffb181544fb78f7ccaf96928cea990b4cd3e898c321ddf8aa336cef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a062be3306ee0afc5e8ec388b253c832

SHA1
4ebd5a3777a5b5d5c631ef83554aa20f9079655f

SHA256
38152b4ad79f4b48e47740574b260a6a478280c38a13b87b0dda045fbb5b749f

SHA512
211153e6e0f81a45416bfa21aa52f2a30f62ebd59ffe8ec08910e416fb93284617f61035537362ba79d46b083ab5ed677ad36e9c0ccd4ba8bfd0977365ccb8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d6445b5bf7f237c60e7a773da324885

SHA1
a87735ac85f782ff92c88f15ed709e8f4156fdbe

SHA256
939b2f3c8ec46d3357452db890dd8ab1885546964ca37de4ae698775de28b248

SHA512
b25f23c2fbcbdef4659ee612505d5517eea79ea6338627a7411e3d3205bd6cd2459787ee39cd384a6987b975512baf1602a0f9bd90d8118fcfa55a452f0b84e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7abfe6cce75cfa7c0982827d2308601

SHA1
97f20f4977c2cbfb55d0e7dae63696033c35be82

SHA256
e4ac0c724727c87aac0ec70b9ecf497f4813b4d1d387c36bb19e9bb220a1fa0b

SHA512
80e6ecc91a6bf1af58fb650abb6a0b0472b58d1f7fb81a0df626e1c51c0ff7db022b9fdad4fbe488a0982f3f70aeb8148473072452e7006d0a20b03fcc51972b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17e3966738d3d923cb6cced692c62255

SHA1
7eda441c53b18b7b6660b2e1326a51e140fefd4d

SHA256
36950a99cf9fd4f4e7074032e6b724562c3add9b11e1f624905ef57311ba987f

SHA512
75210fb8516c460974b3d193a2be51d29d02261f8571548d6442524dd3dc2324eb67e78df141c2d952136d2bbce8f54c39fc9cf92e43a1d3aa8df37ea9f66512

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f9b47f2a349e5e8203cd33e2b1538e0

SHA1
4832515270df2890d812e2f42aa14bcec42209a4

SHA256
679797f05798c0cdaf5e8428ea6c9c80c93d110ab7807bf98aa4266bd87686c7

SHA512
f3a3caa669400cb1af2c9857ea3e9910648cf067751ef6fee6a99ef8c6ef9c3e52a9f799216f23dfb74b5a51ad372fe3ec65371987ba16991cb541a32c59f73a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67940507ef5a1bb6f21693b957136cc7

SHA1
08187b2b82f01739ca2a319d86c95a433c44c98c

SHA256
2555384954d150f401f9a58a204ec1219fc20a2b395c1d0e0b3a6440c2361965

SHA512
e9b6bac20c0695c6e6bbb8675040d3a132a20f4ce1e23fd7b579cc40a17cf5adb6c7fbe070b76ca071385fab9ef48ffab026b1eaa7a2c73b98c7d675a9e81cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB05.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBB4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
a52c121d65b5324f32f62d8b459c9861

SHA1
88ef965985b4ff9ae9a07af8e2d02205103600de

SHA256
09d8ecaea2f49681a3f36f5ed48de23b98f4bed6ce90641498e186510f2867a8

SHA512
e9a6f88eebcdb2c4da3bc19d1453ef102266804327a398c8f6a81801810d592afe8322fce73ec3cdc4c6c2b30ba414cb2dc054f9ebc152dbe448ed7fc7534434

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7f6817900593ed3e28860acf159bc086e73aaf549ea50d9b2ee381585afa98ceN.exe

Filesize
6.3MB

MD5
97ba1ead58c304f1c0a6e4cb74bc813f

SHA1
d6896f917dfdceef6d3a6082b2463655feb77474

SHA256
72662880c742e9866e83ec8487357b1c940dc3fc998cb53b8d974c8396256171

SHA512
aa04974790e909493564d16778d4b0f44981559f9163c2f2e9602c9c18140c2abfe103e5432988ac6b12125e04982d1caf80b51b65dae8f465af520f343a434f

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2412012312534192088.dll

Filesize
5.5MB

MD5
6376f90c6b21ec0c20e22618a8bd59e0

SHA1
eb0eecb194e4f9be3753b174d822da9cff8d6b57

SHA256
789f2edd4553daead61efe111afe14a6893a5b1c3c6f9f3ff9b7a78caca420ce

SHA512
c9bd9aa9a6e10f1c34e0b278be3041283de4b6301843839e4122e42c4503f4c896c4754578187640d6b8ad88d73ddccbbb9f49c8691c67af43e63a4dde5662b8

Download Submit
memory/2076-1629-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-1520-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads