neshta | b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835f

Analysis

max time kernel
74s
max time network
75s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
Size

7.0MB
MD5

5cde74e896cf3a64ceb7fe9d68c56fa0
SHA1

b5067533ff651e8f18f80c9116c01828d2762427
SHA256

b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835f
SHA512

522b8f7db545264d0c19fa5d6c227f068ebfb57bf657431f5d135e32bf45febde363f49b1ced0fdf366a8034a077ee5035fa68edd822258200f1e3967443ccab
SSDEEP

98304:cLTO+VdVTYOUaRzUvpP3B2TUPwQFBfcWvvu:YTO+uOVypPwCBfcWO

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-9.dat	family_neshta
behavioral1/memory/2272-882-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2272-1542-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 5 IoCs

pid	Process
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2772	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2732	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
596	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Loads dropped DLL 11 IoCs

pid	Process
2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2772	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2732	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
596	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened (read-only)	\??\D:	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened (read-only)	\??\F:	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened (read-only)	\??\D:	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20636c9ebe44db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439308175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C79845C1-B0B1-11EF-80FE-5E235017FF15} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000064c4e3647f3d4f4fbaf4e89101fa36a6000000000200000000001066000000010000200000003499f62adf6b95306d32253b7a474c03089e40770c83f3f1506f5d38c25b95cc000000000e8000000002000020000000f87ff19afc976b92e8f75392db17f5351d339a32af4b1a1d6577e3998aca80fb200000004489b3dd4acb84a99b9d2d77dae8df2f1e45a006de370c3c8669ba2d853fcbca40000000322644ed1a698e827bd759addc7af642b908338181182005eb8a9d88d53c0c3651bf2bf8a26a6e3a391f0209bb1f2e1095c9899cbd574d467a9128a63e3aadf6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000064c4e3647f3d4f4fbaf4e89101fa36a6000000000200000000001066000000010000200000007f4a1b1aeca3e7aab1a12dfce05392d9b82bee2be1ddc223ce0cbc9b05b8e49b000000000e80000000020000200000002a5ff1e074c36c9bf10a6b4c1d7902920326e427bf8f27e302cb8f7b62a0bee2900000005fcbb38edb2b072528d845403418fb8d9e543e53e5c00ffcc392408dcdb1965c20902e36421a8f601523de59b75c09902cd20d2a95a0ecc72ca7d8586669e73e7cec3aac80f6180d085965630a3cdc05e5104b99d1b8c1ef0d025de356b8f4a40e7e886646b41ab7cd369397b603a6916cb50f7b523b2739d17765e11e2e08b9e1a94b8d1b7d41ef7f7bf62ba3c1193640000000764ef90c3ba59908949ec1173013350569e3a687d548f4a4b83b4f1a7dee04683a6c75f381cadb85c1a05490bac8d3a7528f7012275619584b388b329d04a8a6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1728	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
1728	iexplore.exe
1728	iexplore.exe
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2716	2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	31
PID 2272 wrote to memory of 2716	2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	31
PID 2272 wrote to memory of 2716	2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	31
PID 2272 wrote to memory of 2716	2272	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	31
PID 2716 wrote to memory of 2772	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	32
PID 2716 wrote to memory of 2772	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	32
PID 2716 wrote to memory of 2772	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	32
PID 2716 wrote to memory of 2732	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	33
PID 2716 wrote to memory of 2732	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	33
PID 2716 wrote to memory of 2732	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	33
PID 2716 wrote to memory of 1696	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	35
PID 2716 wrote to memory of 1696	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	35
PID 2716 wrote to memory of 1696	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	35
PID 2716 wrote to memory of 1728	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	36
PID 2716 wrote to memory of 1728	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	36
PID 2716 wrote to memory of 1728	2716	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	36
PID 1696 wrote to memory of 596	1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	37
PID 1696 wrote to memory of 596	1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	37
PID 1696 wrote to memory of 596	1696	b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe	37
PID 1728 wrote to memory of 1320	1728	iexplore.exe	38
PID 1728 wrote to memory of 1320	1728	iexplore.exe	38
PID 1728 wrote to memory of 1320	1728	iexplore.exe	38
PID 1728 wrote to memory of 1320	1728	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
"C:\Users\Admin\AppData\Local\Temp\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=95.0.4635.88 --initial-client-data=0x184,0x188,0x18c,0x158,0x190,0x7fef59c1928,0x7fef59c1938,0x7fef59c1948
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2716 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241202133142" --session-guid=1617e7f8-2f96-4ff9-90c2-1993aec06a71 --desktopshortcut=1 --wait-for-package --initial-proc-handle=9006000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=95.0.4635.88 --initial-client-data=0x180,0x190,0x194,0x154,0x198,0x7fef4d21928,0x7fef4d21938,0x7fef4d21948
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa58bd408cafa20a8066f561a453a101

SHA1
343fa2358fb0290e0ea860f4b0d3e762c73e12f6

SHA256
ccdb7aae3d4f9f804b888832d202c37a44e7086891f8e0c7643dca0a8e994110

SHA512
f5a96a63c5e35cf2f96335e857e2558fdd7e550358c5723bc9b5e21941d03871a2bc7e32f8534d0d7281fc1ab720b20b8c77f96496ffa49966ce907f08031a2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c323a8a3146af9e59cf768a245b9fc5

SHA1
94c76c38c4e61a596ee8d7fec58a70d5cca0ccc7

SHA256
33d261305a3f7231778f7204dee70a87125cf47b59e7f94791c5c57a0e138879

SHA512
f5ddeb31e33d86658419714b58f2bf695528b241e2967eab3c24bdbf691f0431b0acebf9976a98b8b25304fef487ae47e06a7a45ddbe61bb13515df899a2f20f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4797a0c5e0e24e8bf2f50610964acc46

SHA1
b6dd465ecee7d330db479791b231d92cf0e40428

SHA256
258f32ba6601a498f6c1e59a611332c68fe7e8077432c7ad3c9eb8c406b841f6

SHA512
759a2b748033d0a4b4059f8211aa8836018297c4ffda3795024d571aebab62f03c2006587c57ff00ff8ff68bcd7c1092ffba34540762597f8a267f76739dfdec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10e838f789db3ca464af7f2716bdd7a2

SHA1
c70aea7f91df1d69147ec1f8fe4f794c99a8d6e1

SHA256
4644e4dcfb1e59bfe716606ef4e6f1fe42fbab73a7879478de9e65190e574032

SHA512
33018bc60cd592e0a6297509c1bd090b61e44a81d909c0ddf3b06bf989468e535ce9993e2d64b090ba94058972632f3bae5ab2520f3d901d88be2623f695eeea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
602bfd2feaa4f6b08943ea31e57a9c4b

SHA1
05c6f755a69eabf2e9196b453d65530f5ea3b768

SHA256
4a66ccbe9aa969d2b954e560b00a01618520576e520df4f86f1e8c5205b74a83

SHA512
bc69688652d653597c8b6c73e6e9e28b4b5e5e55f97e6fdc654144ab879421908530056c705bf97a9102cb45ed89baed6c291e3ba0a990659eca85cf0637be21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dacca1e00ececebe7e5dde0024074f3

SHA1
11d0b1f56b311992177874304670ec63e7675fb9

SHA256
509f9d3649fd3fd6369d3272aeb9daf56af6f6243084d57dec561a4162dd1c87

SHA512
89bf098127de1299671d248e154a7f3b71457c921453698f2b18973c760dce9d841168de4ff6c95c6529af19aa51fac303d9cf7b9ebcf3ffb389403e4100a8dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f170c35955a5376d66cb6e6e6f0bd2ff

SHA1
70be75856b7975ce7dea989ff1b0f5b3ed8e3fad

SHA256
71118a914af3f8ba6bc3091b4daffd41d76044b51ff97c7bc5b306c98b511ce6

SHA512
5b8e8eab18bba5761a25aa2a6702a94906bf033e390e7252a40a74c1340692960f469ce896a879dab75285cd15b155be6ac7a76f78b94855191ef8343736d1fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6f72689832ed10f427a709c501c044f

SHA1
0f9cb720d3aab6ee13d1a5b1d7d58d9917044bd9

SHA256
55bcd7aabd547510bbbbdd87ff1514e1537ff913c3c88b555c5cfd24bfa9fd2c

SHA512
c11af5ae55807f55a1a3d1b415948a31cf623e23f74f5e1dbd190cdb95bc6db838f03a71c0a2acf6e9a196276c601d2870aabe97e5dc0e11a02058724c7ccd62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d714a8a73aa7bb26c8258bf4d925740b

SHA1
76a23df889e78635f0bcab160e13336fd99f14e2

SHA256
eb4ffbf55f25a8c8454421ef9e0a57f74050009e13343739b6411e620976bc5a

SHA512
dc464fcf6bbc343709a17cd345c3cb62ff6d1dc655c05e346bd45c7880c2fbe2c0d56e89cf55df6745bb2c0de2be3e5109edb4034feb694863cec7a7d724acb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06258fe0ed2c1dd4ed6911ff684a3e41

SHA1
24eea9ca1a731d5fc54fadddb5d77583cb6cf1f4

SHA256
e2ffbc6206298e4d1b39b17c9cbfdd071ae583ffb03d3b1130d0c360f18978b1

SHA512
2f0721195dc15d327304f853ec878a99f44fd9a1cabccdb00200c0c54d4680901af591785f54bec8be0c54a243c5ebbcb1150ca964877f5e1517a7baf3927fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2aa7769ac8f98b8089d5234949f37fd

SHA1
0ef238ac46c92bf8dd0cabe453fcbc378fb889ca

SHA256
66a55944c2355a504c201b07fc3ac93fecdb022f95c0c5ac4e0a4270c2da9172

SHA512
a899725aca767d1ddf5674f53df3175113e50404b9b267ddf8d265f9e15fbe96919a4dc995072371385a34d92bc5e650c261201c5cd82363d582dc61852234ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd80ef6c662adbf6b66e7512729a064

SHA1
03c9b6fa3e7e688052bbf43e7a7221c17b5e41d5

SHA256
14d1b8a83fbb57fdd5bfd1afc663579a31d64208f1f9623f608c3929a94df2d3

SHA512
a0a694d239a550e237316e515061b287556b11299647ff9dbf58a9e4e97c4a177470808cfb3bb48dc31c5b5273e351e3c2053924f167be4767cd48a76ed24092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90b541030ce40ec996bc79052633d854

SHA1
d747576fe50ab0da28c01311560f51830468e467

SHA256
c250ace13263b4beed4a9362b34d276fa1bbe44750e2d3b133a75f904ab2c4bc

SHA512
d3c623c263b8e5d600ded2dae296e1504cd47330fbbb2266dc9e2e033c4070dfd588794f9d4ad7a7506a0566f1455d3ed9291b465553db8316e8505799deeae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2641fc83f5e68500c3313234b9a9ccc

SHA1
f17b9a5f4ccdb4f6cfd814d862a5a05ec50a9182

SHA256
da1a4ee2db966c059c1677b600f5372645b3cd79ae4cc72a455d077ff5d90f17

SHA512
c3bc362e9885cffa0333f1bb844cb1cb96906bc3ef83becfa3c941bccbdf7f781df3bee74115438fb31f11ddae871a45ffb9b69f277a3e137f88da768c3ad5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9ce506a919dd4780fce25fb69719fe5

SHA1
c35c3b1728c35edfe872369a6f172593b0837fa0

SHA256
64f1130b136c94371adc88acf5e26dd68c37461acb29109b7d2b42f5d747b7ca

SHA512
1d523bd6ebab16f99777b5857c50938a20eb44bc967d72692d60ae36bbd1dde7f46d5bab9d89ec4f36b78ee46988e2fbe9e22f4dbea04ce807b7a9dc6e335a48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1bfbec10162a0d74032057ae9a583e4

SHA1
0367b1f66ce1934e4526b2d6e7dad7a71d1c0fba

SHA256
ee94c97965ac17544b04bfdc37357d3ac090f8a312c3288e74c51dbb5c869ab9

SHA512
9d3e87f348f36ec993c324c1c831d2c0caf8da1d993776e0c49b0dc47d4c2a1f4003b03b2bc685f298947f2e35ce82e32e84afa34a0c7ef574f1657947f92730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13875e450fdfffd6eecc7bee93377fcb

SHA1
d1bc6af2c67469b9a4b92c0774a3c96861d8f7ec

SHA256
d40d9a9685137c633989fcce4243944d1c25d026e354205825518344daaced79

SHA512
e9eb9584eec87b8a553eb953d57b2a4c29ddf237c88ffa568b67326b80cd4c0e0e6ee1cdbe22259452c77b3c30b184e7f4fe74ff238b4270d62da25843170998

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58b1233916d8eecb24aa0d21661e1baf

SHA1
75156362cc493972ca50c93f5c960a302a33b7c9

SHA256
652fd9cd0288bf2eaedd91ba506c6f03c094d6944c5ee35ba10893f1bfa52efd

SHA512
1bbe9b3cb4c01b886623754156eb5c9237e0ecb26c55bb508efb0ec7c4c1cc4b29325e80ce0ee3ff38c713a605501de30abad4f28fbe047d54c42e92bc1d7008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba48ac474b43ebfbf77120a68adb955

SHA1
76e7c4df60198da92d51d58a8d6eb97cb3c535d5

SHA256
160f13563470442b887b059bc0fbf85169138f5e7e4252d725b37b3fda5686d1

SHA512
fd225873b054d5ec8ff6133ae57156447868108c1db8c703cdeb6a667bec36fc4e094a1a5005de145ed8c5600f6fb5519d2dcc9afae92ad90ab049eafd0b3951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d63653463bd69ad08c689266b5d9de1

SHA1
adab67b7c0ad87e6e06372eae660b045e7db84c8

SHA256
bcc400b913b9a40af997179b63cf4b2b3b06efd6543b700b439ccc8f572666f4

SHA512
3acd2efa2617a4c81e15dedd6630d07125a686ec8b7733cb02d7d54e9be37fb84843a6a73a307b5d70f2cc84247d25c949151ae0f76b2ff222eaa49deb65155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484da4b5fd1279bdfd8c175ab45e7334

SHA1
c02de94821bc1d1493c6d4aab1b52b9fbd7e247f

SHA256
78958cba1ecdf8b6db51debd6f5f474291bae3750d7ef13efd1b3f751236bec4

SHA512
9ab61318c649c13cec444ad826459f1f3fe40696c53e6f2e807255d03f7af25b76cc5f8e240c61281a2bd6e696dfed365e38c072092d4fb7fdc9446eea635251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03186710a114d5412ab8a5b209d64c30

SHA1
6af110dcfbb7865b5c3c932a5e017c4b7f6b8c53

SHA256
e400cc9124cc2b17002353a16edc33b76ec8b7cef6bd43f4839cf485d0ef87f2

SHA512
bff4f9b05716eaa6cf638f4a1f5c382493c7ac9556ec773859ee3f4e10a827d7ee786bc6abbddf9a295cddd77b2cfb573bedc33dbb45d6ca7e63d766ce10c83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c67ac5b1606bf34321b440b14e5d7cfb

SHA1
9280423cf3c94cb67b5f7045c586cc17fe889745

SHA256
6e8627b2e2e7cdf11cbea4aeec94b7c8322c415211b87b4fdbd0260970923008

SHA512
b9d9db2bc90676d5bc235e53cd86acae895428355267500051a0e66c127485d87d402a7325c0ef22b378200ba61b586cef987be350679abfa880994138a3bf4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f4cf6d9df86f1b80ba854599d0680e3

SHA1
3261ce7228fee96f24dce04d8aa8c4aec6cb197d

SHA256
c2ca351bcb8c94d4bd781706b5b206da97edd25fd80bf1e1f75e9dba29da8bc5

SHA512
c0723bf7dcaa45e62ac996541e3e0af880b9794335cff320c48837ea8886eea16775be8f13e42991f22b0170f2d6f7ae6d7ae62bd2014f8abfa4ddf8772f3155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b517d1b5c3ab0688861251f67679ee

SHA1
a2ef1b94845e094b26814b8be223f0b97cfe079f

SHA256
9d83e56f1ad79915b96193100107e22039bcc500ea8f31ea9f5764f8c26c4c37

SHA512
1a1e5587907b4caa30d63d3592215aa10e2db6cb2fc2b500d5947c3b8629ab7b295bca233cd52272b18b184a5202252bdc6dfe7fad1da6b5c2588987f89723f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0beddb15ccdb528db806378fad6bf593

SHA1
00fd08303388a7fbcce02d59b620278b0ea72b6b

SHA256
dacaf11c5610a1d9e97530b543cf9afdba0c099980b69701015b215fcdc6c7eb

SHA512
97cdab82342cba0044e931b8103073ee937c6db8daea7d9e863a7f81782b1b015c6be96d89a62c0339f0edc5294deb3a6894b5125bd2daf6cdc2e695a3068ab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c78f6e5900fd339f9e8ae23d7e6b4ef

SHA1
7785f21a8fae19471121872ca5f9bfb8c8beb3d1

SHA256
7c3586e1c39d139bd5808028d85958d91c479f1478ab0931f7704685502cdff1

SHA512
9b0cf5722ec9931910ccb4dd22e300b21842bd8bdb362b3a15eba60c3bffdb2dc36c7f6009cda8204862a778ff93c8a963ff1d47e2d57166b0147a76925fd743

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6990632046719e0f2db7b4b4db02c673

SHA1
531d48e0a90c631cd09628d1e520984914574f3f

SHA256
961dfbabe0128ae86078367083b8e82bfdfca9d1cc88dd8abc550d69f941825e

SHA512
f5b38c901accce9f12cee0f28e12441e66559cee21c4a448e4084808252ee4abdbcc96717bad95f31d948a707658e0e57ecac572a3141fae69d3e26ec8bc2a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e464974d8439860aae27994198013304

SHA1
ebedc7e9bc6978cbac40d26251682e17a81f3cee

SHA256
744c2ce495d5f22fa1cdadd7b37c24f3199396dee8fe8c1db27f91b732744dda

SHA512
79dff397f08c2ecd7aeb88d6334c9b5556fb3e2953a695eb3493c03acb3b07f91e3d293d13a8b264697ace04a5c1e435c30616a384ed9e6573ceb9b677c41a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
880ab493cace055402c5a2598a78d721

SHA1
e43e39eaa060a533a65371781f252db578d98365

SHA256
fa3130a7aeaed22b9cd595b64121aa40d38e3bec4af344d3a8f2f29a80fae21d

SHA512
78cf933122469377cc3a1214abd1332d28580eda8a502d18c91387d8cec573fea1bac6a1e9982be33d2597ba3055c7b607c8840e1c1369964b9f74591a21afe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69e9bca27ccce07abb622e4c0986f84a

SHA1
1f8218679d157722fe8d5207f4ce73c57d251cf4

SHA256
c490a06bf7fa809e95b18be63b79ecdab3a9c340f8f2f873460468f1bff4e3ad

SHA512
be8c2502c2138052dab358c0097739261f4672296297d45269b2ead2f325a78f071a3981b56ad71e7d4335b9166e508d01caf8344c5eee932db7d7d9aff55d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f51901f2c9693bd523c83a76fbbd473a

SHA1
8b4607686b058e07aa0cbf9f483de9b280a08579

SHA256
db60b5ad3e3fb6be2b2db6e3c7ab4ff1e85f47b62ccbbe18e97c83d0ddc3fd13

SHA512
220289cb6a16558d4a9e2e1966a93633354e184adc514ed7b6359e86fa2d20bb255313bc0c100632511ccb1c5214576d0aedfb88822d8f8faa6fceb554e724f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e761bec619af7344a228127b2966f0ab

SHA1
f561ff3899ec5bf3231b918e36b544e4e4e7f3dd

SHA256
dbc9bcae858747c0b7a4b448d3d3e2c6ef1f591c1eee5e125986306ad83ab248

SHA512
460f24453d612b50bfbe7c682839ea7afc8aa3c379ff52e3ab7e3ec7c1b9e0158ba05a8621c3e4380acaf0f3562894caa167ad3a24c8c864eb010eb6cd2ebbe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eafff209885fdf52724a42b31b40e5e

SHA1
930f4081ca57deab9cab722444335cd8af15d728

SHA256
2f8a682cef980be475c2eaaaa44ec7091b6d8d2aa898368bb249ce2bef68096b

SHA512
b809293fbae59cb0f32d14aa42085f162ad6f98333dc8c66ebcba286b8f1837f0f4deac6e0223ca1952c237f531af5c401188472476f0bf9f1208141882fbc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
870e33b1fcfcb420f9fac4fa4068e94e

SHA1
901a8079756ad04daf028841a91ba7ed263f5843

SHA256
3e905d196895aeda2b6a6cedd048cfaf987253d3b05adf165bc3468aa8edef19

SHA512
e86464f4a949b9a7ea2c386e632bcc3463f669a2e0f80b356d54c2f21784453623caa368f93f9c04e5f338b83bf921fb2a148f0bf196ebd113854fd3c6492811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4ee40bf9e83bdd0170ac4ea02a2fe5f

SHA1
9c181a21fc0ae3540f734dfc6d77fb8d7249ebcc

SHA256
63fb90cd3a3813cd0d275a921748ad3c66c8e8c951b1ce58ae92e1c5231b327e

SHA512
3c14c09e9ae527d6170170c8dc0dfdceada85faa033a9027e82d72c578bf8d58c4d3b59872977028e1c960091c5c378d4bea5b259cf1c3800e6129d39b85ad76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3B4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF3C6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
bb5224880aa2419382005808e29ae3cd

SHA1
26c2f1e18b8b9dfa631252f2e6315bcb35174715

SHA256
091cb2bb96c78cbc044238c9cdbec24728149aceb0cbd05b3b7904d82639fb34

SHA512
7fd2dd82f6c1370bc00e2523e23b0fa3d9d64a8263594723b745d9b42f1ce090bdc6035fb62cf42fbd0f5fbc12019d1e63aa5e0ceac6c8562d95edc973a43b18

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\b9061cf3b71753e617b8dd2c75d7e963aec9189a4f2897f5b5cee4789c06835fN.exe

Filesize
6.9MB

MD5
b7a0081334c82f3e2c579d65b2443e07

SHA1
46b0ed443cce9307be396d19e8f350019b8b779d

SHA256
285191f5af9d6a208f4b54a3cfad982734c9d26fa961d1832cf20b9c7956bc44

SHA512
f265857bb180ae79e535eda7bac10b4b428be01c52a428fe34bfa9675796eaa046bb277d52cec78fec1277770831c11378f10d9a40148a357fc4ed5aa74431e7

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2412021331416852716.dll

Filesize
6.2MB

MD5
071687a7b77151aa47f466cad40b99b1

SHA1
ed84f2c6b5dd59c0dd31054694782fa24e2ba4f4

SHA256
d33e0f84b18a2d60cb1874ab41d62d85f54faa2d89fe86b6c8b54e9f1f197f71

SHA512
668ddcbf1216504ab1702f57d5e2cc91421cbcbed554db10e5b5250b7da241ba5bc5c4b5a85b67ed04ea6d1d0efbae409bd086952617050a37cfda34b7d1f8a4

Download Submit
memory/2272-882-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-1542-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads