neshta | 0978712dbec1d91834dea2ca5f5e2115f32ab576ac57d40ff0a1ea337fecdae9

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

massexe/Massscan_GUI.exe
Size

374KB
MD5

2b32e197224207df4d688f00f79b2c51
SHA1

02c04f489f8566bcf661d159a36b3eb34934af5e
SHA256

1d7b3e6f89d5e2d1b6e25d3e2542fe5d9caba93646275f5c62e93dc42e48e805
SHA512

fdc38ea555a51e2008dbee0f8f85d01a20235dbf7fa615bd79f1711afe12d758b206356849b7784f600e5a95f782b472c6e1388efcf4a254ce646deb8ab6b08f
SSDEEP

3072:sr85C+56z456zB56zuIXk89V756zMVaxe0aX5Cw9j:k91j8Xcanj

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/memory/1812-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1812-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
3060	Massscan_GUI.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	Massscan_GUI.exe
1812	Massscan_GUI.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Massscan_GUI.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Massscan_GUI.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Massscan_GUI.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Massscan_GUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Massscan_GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Massscan_GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20729eac2048db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f082e965bf66d543b823914dc4d94cc4000000000200000000001066000000010000200000000e98f10b439a09bd649f5145eb59078d08cf20cc0d6373c73412b386491c7528000000000e80000000020000200000009f1cfe2338acb579661aba2fc6a0f37816fbe5e82175501a27a2f2f967ef844090000000113f9421c2da66fc87720e4faa48a35da6c798fb7b3b80ffc14016aef72cc108e9aa52c783634ff0eb663b5e92ec105123e580c0e3036349fa400be4df5d498bd6979820eac3d18a5a8da489cad6d08193127e558adc4e4753724a263612fb550c4406a0deee8fc19afaa19f9fac22ed2b4a2be3bbd86ac4980364b24d3e30b1c8e3ba5e9f264bcbd0492e64a19de71540000000234d9606914f7aa4413aab0ec3257aaae20ed3a5c5a9344b133558e0c5accbfe2c90240473799139509448cc553c45514fdb4d34741e1198d2664e0f05858d23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439680170"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5D21741-B413-11EF-87E3-523A95B0E536} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f082e965bf66d543b823914dc4d94cc400000000020000000000106600000001000020000000512717c275eb185941d4f99bf50f574b7ac03c727530e651853b0a79ec8466a2000000000e8000000002000020000000bfc91d039b0131f0d619c1277f958ae21a9940ff95cb7071bdb9040d8edfe007200000005ffddea46238c2773e1e47c6bdd694a972c518cff0ae3e23c75d66619444fc2340000000fbdd91802ec7efd0e6f6df14cc5dcf64d5a05ab5c46845370508bca521321bf8cdc481b8cd78d2c30097a65a0868ce45556c73bd2cfef8e04aa0e071d9558351	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Massscan_GUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	Massscan_GUI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	iexplore.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2652	iexplore.exe
2652	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3060	1812	Massscan_GUI.exe	30
PID 1812 wrote to memory of 3060	1812	Massscan_GUI.exe	30
PID 1812 wrote to memory of 3060	1812	Massscan_GUI.exe	30
PID 1812 wrote to memory of 3060	1812	Massscan_GUI.exe	30
PID 3060 wrote to memory of 2652	3060	Massscan_GUI.exe	32
PID 3060 wrote to memory of 2652	3060	Massscan_GUI.exe	32
PID 3060 wrote to memory of 2652	3060	Massscan_GUI.exe	32
PID 3060 wrote to memory of 2652	3060	Massscan_GUI.exe	32
PID 2652 wrote to memory of 1808	2652	iexplore.exe	33
PID 2652 wrote to memory of 1808	2652	iexplore.exe	33
PID 2652 wrote to memory of 1808	2652	iexplore.exe	33
PID 2652 wrote to memory of 1808	2652	iexplore.exe	33
PID 2652 wrote to memory of 1144	2652	iexplore.exe	35
PID 2652 wrote to memory of 1144	2652	iexplore.exe	35
PID 2652 wrote to memory of 1144	2652	iexplore.exe	35
PID 2652 wrote to memory of 1144	2652	iexplore.exe	35
PID 2652 wrote to memory of 2464	2652	iexplore.exe	36
PID 2652 wrote to memory of 2464	2652	iexplore.exe	36
PID 2652 wrote to memory of 2464	2652	iexplore.exe	36
PID 2652 wrote to memory of 2464	2652	iexplore.exe	36
PID 2652 wrote to memory of 3008	2652	iexplore.exe	37
PID 2652 wrote to memory of 3008	2652	iexplore.exe	37
PID 2652 wrote to memory of 3008	2652	iexplore.exe	37
PID 2652 wrote to memory of 3008	2652	iexplore.exe	37
PID 2652 wrote to memory of 1788	2652	iexplore.exe	38
PID 2652 wrote to memory of 1788	2652	iexplore.exe	38
PID 2652 wrote to memory of 1788	2652	iexplore.exe	38
PID 2652 wrote to memory of 1788	2652	iexplore.exe	38
PID 2652 wrote to memory of 2252	2652	iexplore.exe	40
PID 2652 wrote to memory of 2252	2652	iexplore.exe	40
PID 2652 wrote to memory of 2252	2652	iexplore.exe	40
PID 2652 wrote to memory of 2252	2652	iexplore.exe	40
PID 2652 wrote to memory of 1704	2652	iexplore.exe	42
PID 2652 wrote to memory of 1704	2652	iexplore.exe	42
PID 2652 wrote to memory of 1704	2652	iexplore.exe	42
PID 2652 wrote to memory of 1704	2652	iexplore.exe	42
PID 2652 wrote to memory of 2320	2652	iexplore.exe	43
PID 2652 wrote to memory of 2320	2652	iexplore.exe	43
PID 2652 wrote to memory of 2320	2652	iexplore.exe	43
PID 2652 wrote to memory of 2320	2652	iexplore.exe	43
PID 2652 wrote to memory of 1940	2652	iexplore.exe	44
PID 2652 wrote to memory of 1940	2652	iexplore.exe	44
PID 2652 wrote to memory of 1940	2652	iexplore.exe	44
PID 2652 wrote to memory of 1940	2652	iexplore.exe	44
PID 2652 wrote to memory of 2848	2652	iexplore.exe	46
PID 2652 wrote to memory of 2848	2652	iexplore.exe	46
PID 2652 wrote to memory of 2848	2652	iexplore.exe	46
PID 2652 wrote to memory of 2848	2652	iexplore.exe	46
PID 2652 wrote to memory of 2692	2652	iexplore.exe	48
PID 2652 wrote to memory of 2692	2652	iexplore.exe	48
PID 2652 wrote to memory of 2692	2652	iexplore.exe	48
PID 2652 wrote to memory of 2692	2652	iexplore.exe	48
PID 2652 wrote to memory of 2300	2652	iexplore.exe	50
PID 2652 wrote to memory of 2300	2652	iexplore.exe	50
PID 2652 wrote to memory of 2300	2652	iexplore.exe	50
PID 2652 wrote to memory of 2300	2652	iexplore.exe	50

C:\Users\Admin\AppData\Local\Temp\massexe\Massscan_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\massexe\Massscan_GUI.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\3582-490\Massscan_GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Massscan_GUI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.winpcap.org/install/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:930824 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1144
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275473 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:406542 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:734237 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:603170 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2252
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:3486748 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275514 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2320
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:3617862 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1940
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:537701 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:406584 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2692
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:2765879 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae617ea9888027f8280152fed335f1b

SHA1
30ea084930ccb608d3bd3e70938585442bca6fdd

SHA256
f1c764fc90eae8bf3a4333a391de9243dfc9b1a76ded651dd02eae16d8cdafe8

SHA512
4da0eae9675c59b82557843e44503218d5324786a4e0a949970f867111be86042faddc134ab6be59ca6a319b934a9e272b6270a3da1d4eba62ea47a0deb1f254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5087bee30f63531eabb781701097ba29

SHA1
d3b11f074578ae502e12868d3f64a0aa0122c597

SHA256
5629d06132842b87d5768de2933bf8f825b2a456e394bd9e4f47a08c6ff453c0

SHA512
dacd504459d8464d5faf16db3960639b94cf4e9faeea4e7f6e6a28e6021174938b1783e64b04a634651ca07e477e21cc98c6011faa4e73f4b02687cf748b3fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf329574dc9c2adbd90593c03866394

SHA1
f194b4755eda0838443e38a4b8922878aed5eb83

SHA256
43c8b9db1f1bd0fa533e02bf23c423d75412912358b56d52edb08fa72d18b306

SHA512
19b64f78e0bc789e8fb175ff79971aa4b87f1d81671ab83494a96f19cdeac73a8645660a02c9829943bda6483a0347435e9b8a0fc9251543bf224327e3779a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2a544e912dee90d23b6b383ef7841d6

SHA1
af5ace7d5f88216bc101311b1ded8b91e8823d36

SHA256
e7bb76b53613b231f16730cd7dcce4e1b14030316dcb91f8c016ad24ad44a46a

SHA512
3cf58449cf995de6e3218744057d1a092bdcbd74f3506c963a4151a8fc3c31e316e16813864b5e730dcc0428f6124ef2ec9889b6f1dc7b3cd3662673743a09ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5cb36e5d1f797fbebbe3b759078a450

SHA1
e0472a3b35537dab9dc27d88e4722318a8a28b13

SHA256
2c784fcb8493405f99eed968b7e27107cf99ef838cc135d63174f73185b69403

SHA512
8f1eff963248e3ce0ce5a7e674da4abe45fb1dbdecc8e1bc39a84bdf06871f41e6e60235a6d4f76fb30db230eb03ee793b8c913155aa876eb0a9679151ff5c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9da20bbfa202aa67300555da9657b6db

SHA1
c040109ca90bf0483d3009643a94ac009af171af

SHA256
c41b88c29ee9fc7c54096c743268110957401ff04c75f326070d869f5db4787e

SHA512
171ea5f9176831602110cdb84647f2f648b0ef1a8b59a45453d59f94bb71c967649b62a22e58250522277d10eb8cdcd8c8e0e1ce9c29dbb06db58dd85b49e79c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
676dd3afd249ba660f25e087366c51d8

SHA1
85810c8173617707004f0e5b2e967e42d7dae07d

SHA256
187cbfd65c0491e15480ac99fa75192b47cddf6d4bffeefe604fc6b663055a68

SHA512
2cc8aebf1d29f2b597a981c729eab7ed42680f45e9337beb2132bbee93089a1a3ab871dbcf7180a46a23ac979da633e678396f363780cd1e18066d04d944a77c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2166640440fcfd671533846ef2b3c173

SHA1
fe5fdc6512b01f41c321bc09fd79b948f944e081

SHA256
bcf8fafcb60e2a04f87124945227ed8b88474e6769fa4ba80ca80664b87f8a50

SHA512
143272a2fcc5ceffe8171f8a5bdfc9141ab49c399146d2e61d9d97f80f77177fa476fc85e42436ffbeee0aa83b2387d6b810ae8d45cb7b7b7a0559876c2c22ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecd3ae6d595c8741011c9cde558c8573

SHA1
86568f2fac0764a7dfadfaf0cc1cb22690262527

SHA256
5776870dfd12414d62c5061e20ae23bd0072793ad6cdbfa05c94dac743923245

SHA512
247776d3f03f7201fd6e3f08798677f824229111a5b1a458ad9dced6e9471fc4d721da683a889707062ad0cb8ac205608e8a33b2dbf8b82905f98eeb2cd8e3c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b62405ffb629751dae2e599aea8c65d

SHA1
ab2b1bb5b2818fab5e4ebcd4ea944ae76a1f9c76

SHA256
60c335121d07d832808f8cda10fc601ab52dcea9c2f0b5a26efc6e2b56124589

SHA512
7df14012fd5f8f5eba56d91ab958f30ad2fcd385ef7a87c2a8be41ed5c91ae9ada25aa6bb84f4ec5680dbd05b8877650d787f662cfa1e4294e72e59594c25688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3449f5886325e9b7ab166d6986da14b7

SHA1
d944d58ae4dc42e5b23fea82ddf57e5e1dbbf751

SHA256
5bf262adc1bf3f52c088332cf2e0e25c803a3c6b2c0dff4e3b355c2d4fbef046

SHA512
97a77ec42c1e747992f1d56765aad51b3af131762c9f3f13baf63e9106fde4528655c4fe56d665d387c2dc07d945193802717398c8e713d6c7662b570ca7c993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39a9a155f998d00c80b720cdd25a1a5

SHA1
ee9e3b695a9b8be14f6a2967cd55932539fa3da1

SHA256
67e831100fd3caad1102df2e990b2d73b36e79e4b8a75eef5f8a39dd35fb4b49

SHA512
99066bb9b5e60057e69de7d7399d70de0d8680a321ed38eab90448cb23bbb6878de20d1c849cecbbccb3e99df89f100d451e489e146c0d97d97e189b46073c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c70339f2710acb5f0e19176a5ff2cd04

SHA1
d3e7562f69e582741c56379f0a6064e3e867fe23

SHA256
7ce3a79f767a938ec67987b236e6cda92753179c2ee0c4f3ce082ebe70bac4d6

SHA512
68d66c60107a919f11ce6f8f8aaf99906ad2fe59fbf9ce8b022a1408b0038d0140ff611707e0e70feefa3c0b423b5ca7552b66e76ff281317488cacb7f96237c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e964f08154ac5ce96bb282bd39f7918d

SHA1
2854d7a186b1afbce0fc22047840d9dbfdaf364f

SHA256
144c91e93a2b40d2c01e569a0d72a591f8d0c961d84d640b4de7595e0e7cf0a8

SHA512
201d9d39cca91deb9b0620b996043d54102c53f2192f0372169b2efe9fadb991da9f0557102f76676239d841e0798e31c1b5a9013c95345f56247a9c21f4c092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9488323ee964d20548e661a151f1ed63

SHA1
c9faad195db4002bcef92e48d931ff9915e45b08

SHA256
848abf424cdfff660feaa8fe7d7d4054f4d7f90cdac0296487d47c4866fc98bf

SHA512
bb863ef6b61d64df4106b3ae22388bd42aa30abcaa78a5da9e56a2e4a7cde22c4aa90bfb65835d2dc6ef89852d0a22209489c0143ceb3ef97e3eed17f48b22ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1b603dbf0f71f733d9e065057bbd522

SHA1
b8c4bce5a6bd21945d2dc4bbd9cb902f9e009dc5

SHA256
4af8c72f0024ce777473a6a8baf1c43da409fc0b8a967dfa2ba145e78b1ff70a

SHA512
a163066621aec2e4d11775a074c13d0b92103da5bab5d96f87fc284ab4ed074cc6c25bbf6362709503bacf70d6e8b8b06d71cae9795d7db4099fd7dda76c1e67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b527db9e03a3b1fdc7cc85f64f86d1da

SHA1
153c79131a2645b42a13bfe6b1d989f21f7c48c5

SHA256
295cd9b0e2049530c8fd04daf5bc3188d69442f11ca5dc704eda764053f72200

SHA512
2e26d7c4b960f2f1044dbb98496872b7b893be4ac5b396615d11e5592bd04216389061580b330ec4525e2878624f184f8dbccfbbd6628d46b983571376789821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7494ae22b6116552a0f3161f45684581

SHA1
e959d9e85cd1b710d40b6df9c3e23be2013c8d2f

SHA256
b6c40d825284e9111467ccfd4da48d9bf45742ad79bcc37544be8e26000e9cce

SHA512
95d2ca18fa08e94499b598300ca47af2fa0a745dd9900021686794a0839c478f157657b7d9aeed82742ee361734e8c6395fd10c0bac34a92cd6bf23908917a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6354b37d6e9798194fda2bcaafb5bb1a

SHA1
4585beded0e056ba299a4b40812bb1225a60142c

SHA256
6a741daae5bd1c06719000499582136b6245fed29c0b8e7a482d0c06b4e30dd6

SHA512
b3a3f137825b48d03316805c445725a22a62ce7d37e2a2182d4a237b938c696b39a886fae2c41885ecf1800ddc9dda910d558173d1c9116656957f8a16b990e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar41C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Massscan_GUI.exe

Filesize
334KB

MD5
7a6990bf78f3e2e835d3be85a2fea4ba

SHA1
9e2760e0c13d56cb744262b4fdef67e17ee08571

SHA256
37ff328175acd45ef27d3d339c3127a7612ad713fccd9c9aae01656dfbf13056

SHA512
ba2b8cd80613bff44c1624d6a17bae797b81fb53979f6a901850dac5e824483513cd312ff8a5aaa9d5eb3cf5c825785a7a53965692d2fb6274d22b6e62f9735c

Download Submit
memory/1812-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-14-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-88-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/3060-89-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-34-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/3060-12-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/3060-13-0x0000000001020000-0x000000000107A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads