neshta | 70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e

Analysis

max time kernel
4s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
Size

3.9MB
MD5

c52d4fb4a49b05a1f665d2b9a4bb42ad
SHA1

4165fc93089a1b3517088db400963df219af05d3
SHA256

70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e
SHA512

a312ede14b3a771d75de0060a7bb8c97787d99114a828cb8b98d734463bc0ceb365b1677f3e1a3936c24439e5436451c11335f3f3f3d5f1138e4da28f6aed557
SSDEEP

98304:vjmtk2aw3jmtk2aH3jmtk2az3KK3dyaXXNJDWjBKUoLIkPeB1LnPnqn9:v+h3++3+y3b3rXXNJDGiLIkGB1zfk9

Score

10^/10

neshta xred backdoor discovery persistence spyware

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 55 IoCs

resource	yara_rule
behavioral1/files/0x000800000001919c-2.dat	family_neshta
behavioral1/files/0x0001000000010314-13.dat	family_neshta
behavioral1/files/0x00060000000191cf-20.dat	family_neshta
behavioral1/files/0x00060000000191ad-39.dat	family_neshta
behavioral1/files/0x0001000000010312-43.dat	family_neshta
behavioral1/files/0x001700000000f7f7-42.dat	family_neshta
behavioral1/files/0x0008000000019219-46.dat	family_neshta
behavioral1/files/0x001400000001033a-41.dat	family_neshta
behavioral1/memory/3028-54-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2256-69-0x0000000000400000-0x00000000007E7000-memory.dmp	family_neshta
behavioral1/memory/1816-149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000500000001948d-127.dat	family_neshta
behavioral1/memory/2976-140-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2220-139-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000011272-197.dat	family_neshta
behavioral1/memory/844-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1648-227-0x0000000000400000-0x000000000065A000-memory.dmp	family_neshta
behavioral1/memory/1704-202-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2996-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2968-229-0x0000000000400000-0x00000000007E7000-memory.dmp	family_neshta
behavioral1/memory/2548-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2404-257-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3016-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2796-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2532-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1564-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/704-237-0x0000000000400000-0x0000000000720000-memory.dmp	family_neshta
behavioral1/memory/2604-228-0x0000000000400000-0x00000000007E7000-memory.dmp	family_neshta
behavioral1/memory/2960-112-0x0000000000400000-0x0000000000720000-memory.dmp	family_neshta
behavioral1/files/0x00050000000193e6-97.dat	family_neshta
behavioral1/memory/2616-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f779-64.dat	family_neshta
behavioral1/memory/1928-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2664-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2648-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2444-282-0x0000000000400000-0x0000000000720000-memory.dmp	family_neshta
behavioral1/memory/2576-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-289-0x0000000000400000-0x000000000065A000-memory.dmp	family_neshta
behavioral1/memory/2892-288-0x0000000000400000-0x000000000065A000-memory.dmp	family_neshta
behavioral1/memory/1928-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-294-0x0000000000400000-0x000000000065A000-memory.dmp	family_neshta
behavioral1/memory/1928-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1928-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1928-306-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1928-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-312-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1928-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2728-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2444-321-0x0000000000400000-0x0000000000720000-memory.dmp	family_neshta
behavioral1/memory/2892-322-0x0000000000400000-0x000000000065A000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 13 IoCs

pid	Process
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
3028	svchost.com
2960	_CACHE~1.EXE
2604	Synaptics.exe
2220	._cache__CACHE~1.EXE
2968	Synaptics.exe
2976	._cache_Synaptics.exe
1816	svchost.com
2996	svchost.com
1648	_CACHE~3.EXE
2444	_CACHE~2.EXE
1704	._cache_Synaptics.exe

Loads dropped DLL 26 IoCs

pid	Process
1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
3028	svchost.com
3028	svchost.com
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2960	_CACHE~1.EXE
2960	_CACHE~1.EXE
2960	_CACHE~1.EXE
2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
2604	Synaptics.exe
2960	_CACHE~1.EXE
2604	Synaptics.exe
2604	Synaptics.exe
2968	Synaptics.exe
1816	svchost.com
1816	svchost.com
2996	svchost.com
2996	svchost.com
2968	Synaptics.exe
2968	Synaptics.exe
2968	Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~1.EXE

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2868	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	EXCEL.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2256	1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	30
PID 1928 wrote to memory of 2256	1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	30
PID 1928 wrote to memory of 2256	1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	30
PID 1928 wrote to memory of 2256	1928	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	30
PID 2256 wrote to memory of 2728	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	31
PID 2256 wrote to memory of 2728	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	31
PID 2256 wrote to memory of 2728	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	31
PID 2256 wrote to memory of 2728	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	31
PID 2728 wrote to memory of 3028	2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	32
PID 2728 wrote to memory of 3028	2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	32
PID 2728 wrote to memory of 3028	2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	32
PID 2728 wrote to memory of 3028	2728	._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	32
PID 3028 wrote to memory of 2960	3028	svchost.com	33
PID 3028 wrote to memory of 2960	3028	svchost.com	33
PID 3028 wrote to memory of 2960	3028	svchost.com	33
PID 3028 wrote to memory of 2960	3028	svchost.com	33
PID 2256 wrote to memory of 2604	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	34
PID 2256 wrote to memory of 2604	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	34
PID 2256 wrote to memory of 2604	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	34
PID 2256 wrote to memory of 2604	2256	70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe	34
PID 2960 wrote to memory of 2220	2960	_CACHE~1.EXE	35
PID 2960 wrote to memory of 2220	2960	_CACHE~1.EXE	35
PID 2960 wrote to memory of 2220	2960	_CACHE~1.EXE	35
PID 2960 wrote to memory of 2220	2960	_CACHE~1.EXE	35
PID 2960 wrote to memory of 2968	2960	_CACHE~1.EXE	36
PID 2960 wrote to memory of 2968	2960	_CACHE~1.EXE	36
PID 2960 wrote to memory of 2968	2960	_CACHE~1.EXE	36
PID 2960 wrote to memory of 2968	2960	_CACHE~1.EXE	36
PID 2604 wrote to memory of 2976	2604	Synaptics.exe	37
PID 2604 wrote to memory of 2976	2604	Synaptics.exe	37
PID 2604 wrote to memory of 2976	2604	Synaptics.exe	37
PID 2604 wrote to memory of 2976	2604	Synaptics.exe	37
PID 2220 wrote to memory of 1816	2220	._cache__CACHE~1.EXE	39
PID 2220 wrote to memory of 1816	2220	._cache__CACHE~1.EXE	39
PID 2220 wrote to memory of 1816	2220	._cache__CACHE~1.EXE	39
PID 2220 wrote to memory of 1816	2220	._cache__CACHE~1.EXE	39
PID 1816 wrote to memory of 1648	1816	svchost.com	40
PID 1816 wrote to memory of 1648	1816	svchost.com	40
PID 1816 wrote to memory of 1648	1816	svchost.com	40
PID 1816 wrote to memory of 1648	1816	svchost.com	40
PID 2976 wrote to memory of 2996	2976	._cache_Synaptics.exe	41
PID 2976 wrote to memory of 2996	2976	._cache_Synaptics.exe	41
PID 2976 wrote to memory of 2996	2976	._cache_Synaptics.exe	41
PID 2976 wrote to memory of 2996	2976	._cache_Synaptics.exe	41
PID 2996 wrote to memory of 2444	2996	svchost.com	42
PID 2996 wrote to memory of 2444	2996	svchost.com	42
PID 2996 wrote to memory of 2444	2996	svchost.com	42
PID 2996 wrote to memory of 2444	2996	svchost.com	42
PID 2968 wrote to memory of 1704	2968	Synaptics.exe	43
PID 2968 wrote to memory of 1704	2968	Synaptics.exe	43
PID 2968 wrote to memory of 1704	2968	Synaptics.exe	43
PID 2968 wrote to memory of 1704	2968	Synaptics.exe	43
PID 1704 wrote to memory of 844	1704	._cache_Synaptics.exe	44
PID 1704 wrote to memory of 844	1704	._cache_Synaptics.exe	44
PID 1704 wrote to memory of 844	1704	._cache_Synaptics.exe	44
PID 1704 wrote to memory of 844	1704	._cache_Synaptics.exe	44

C:\Users\Admin\AppData\Local\Temp\70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
"C:\Users\Admin\AppData\Local\Temp\70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\3582-490\70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        9⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE"
        10⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
        11⤵
        
        PID:2636
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        8⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        9⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        10⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        11⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        12⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        13⤵
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        14⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        15⤵
        
        PID:2928
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:2536
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        7⤵
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        8⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        9⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        10⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        11⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        12⤵
        
        PID:2660
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        12⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        13⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        14⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        15⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        16⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        17⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        18⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        19⤵
        
        PID:952
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        
        PID:1048
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        15⤵
        
        PID:1540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        16⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        17⤵
        
        PID:1928

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:2240

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\ProgramData\Synaptics\RCXF9AA.tmp

Filesize
753KB

MD5
79af256ed72f13c213700baa5ae5e901

SHA1
35e059cd30bbdc6dbb28381d03c31d7ce5474fb6

SHA256
e0d8f2cda2766d782f6605c50083997fc838b602316c65cdcc3a8346d3d4f405

SHA512
6f9ec4575061c9ce6036dfd0b07ce68b962589f7b4f807739958912f57093316407729451bd7561f18f78468d4894096cf4db851a4accf2ccfff6609c4d5e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

Filesize
2.4MB

MD5
1f5d534955b45f48aa0aa00a71614152

SHA1
af3344554a6bd6f560c0cdc0c26692ba1a4cffe4

SHA256
c04a158836fe5ed13b9210b058b66540d85ff22bdffea349f7fb8adf56d98845

SHA512
c61707bb5afc4bfe47c11864f79cd74711e0bdc44685c25310d208288caac7867db80b9c0022174c80cb167b3ea6d19e492f502ef647d54745515d8c20b86653

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

Filesize
3.1MB

MD5
8d32dd92ca9e5363d62a2d724078cd39

SHA1
dc36085d393fde2cc1fe6aa400f7ec795469c034

SHA256
296bdf7dd95f8c8e21470a00a310feccad92246b823b98de5fb65e864d8dbbf2

SHA512
f99ef0635c7b3624faa571f1aa8ca2cf94ab66e41d23e79f0e49dc96b35eb4425f77ea85d6ad0722e6a52434a607574af9634e3c0a816e12c1220a8577a118bc

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
67af5794086a898ad1e981c54db46962

SHA1
ce8aed93723551c35d135cbe91ea70f3bb093a58

SHA256
921df3b2179baf437f7907ca2797e0bfa026b5854f40ffd3a86501caf2793ab1

SHA512
7b6f616c4d9b00acd5b7b280d1abb64f3417c4307f5a356b9434047746c6060914c355706309e87c6767075c2fe1748cf0512b37211227452e930d722b674e06

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
21285e0eaa3f69db9d8a3e7f9510050d

SHA1
9d076802d00454594efee8dffb3f0b6c0ea7f5ba

SHA256
fbe4fc76194dc68755576a56f67a2eba8962d29994f3b2e28a5c8bd6bf6dd7a0

SHA512
d4629b624bb0802c787c0fdb13e0cfc7f4d8c6e5ecff9d35c449c04fa801176b58652d27e494572812d946aa4a6c565f1305b052c0b67cf3249f7ebdbc1c7111

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
0a5d679189f7c9bfa34e51dcb2a41b5e

SHA1
e07b518a59a4956cf64e70240719b8d3d66467ca

SHA256
edfa93ed09ae3469001cde2d0211071b9cc3a553e80bcb5a60435c706c3f44ca

SHA512
3deb4eb906cee9b78466ed1175688332f09c1eba765778ae0f6e8d9056868dc858fa822f5a55dee3db40eddc948ce66937eca65afbb656f93add79ea0d7e324a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe

Filesize
3.1MB

MD5
7491474fd2d3a5ea107f659995722df8

SHA1
06f61ad2b50e5049f9f975c838dc45c6590a9d02

SHA256
5fcfff8be382cb1f67b6360169296b03d2e38e6d7e1e0ea4ee7e31440f48e889

SHA512
67b7ae694c07fc27fcef9504fb118ccb0677d1d97d1252dd6c4922e4853b4aab2403198b8a4ff0da540bb0748d4fed8d92cedfa016412a924df1cdbf94955e2e

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\70636c3fd3bdab42234e249084ebada003015df3d943b9d9e3c3cf61dd057e1e.exe

Filesize
3.9MB

MD5
2e47c504c064aa1c9cd0fd67b8e007e8

SHA1
4ba8234c6bdf51f3561a51277aa9616ce386de94

SHA256
3509807ea0dd774ea26bc8c9c48d28c2eafda65a7ec953c0b2f6a52762726894

SHA512
858e5544a1818f33d66b0a63362e3fa34112004ddc8da02d6ec97953e26ceedff1eb93e0ae83848a5e6ee79fcf2c1aa49c98b81fcbe8b3f32f8d3187147a7832

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

Filesize
2.3MB

MD5
8a4917a261e08ba0ab63328d9e38b55c

SHA1
16d5d00610120d79bea5157dc7cf9b880b0e1590

SHA256
b42d5a91db91ded062f9ae6e32efa664deb3aae57a1114602b4d78e2dd647b41

SHA512
8e81cc29329c455a1556025d766ededa593d545ea497d2f15fc7aaf3e924b4b483d56e897e606aaafabf73c723b0896f247d0953dc1037c3b64c34184d539933

Download Submit
memory/704-237-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/844-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1564-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-227-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/1704-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-14-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2256-69-0x0000000000400000-0x00000000007E7000-memory.dmp

Filesize
3.9MB

Download
memory/2404-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2444-321-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2444-282-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2532-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-228-0x0000000000400000-0x00000000007E7000-memory.dmp

Filesize
3.9MB

Download
memory/2616-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-278-0x00000000048F0000-0x000000000496C000-memory.dmp

Filesize
496KB

Download
memory/2636-277-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/2636-287-0x0000000006000000-0x00000000060AA000-memory.dmp

Filesize
680KB

Download
memory/2636-276-0x0000000000820000-0x00000000009B2000-memory.dmp

Filesize
1.6MB

Download
memory/2648-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-275-0x0000000000030000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/2660-283-0x0000000000900000-0x0000000000996000-memory.dmp

Filesize
600KB

Download
memory/2664-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-289-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2760-294-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2796-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-152-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-288-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2892-322-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2928-281-0x0000000004820000-0x00000000048B6000-memory.dmp

Filesize
600KB

Download
memory/2960-112-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2968-229-0x0000000000400000-0x00000000007E7000-memory.dmp

Filesize
3.9MB

Download
memory/2976-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads