neshta | 79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Size

455KB
MD5

77846c820753a9afaf76183b8ef35c10
SHA1

25377e5e4c65ccc48edaa9a8ae3725cde7eaca5c
SHA256

79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1
SHA512

83bd5ce783101c834725e903204a68ef258e9b23fd6249086fce984f4defe15d4e03db33aaa1d13efd3ab6475991073ca4b20da675f9527e4d4649d79c306b1d
SSDEEP

6144:k9RA2zNMPMPwVtiN44zAi5NAOig3TBrCZMszqLi7ksvmacmWnZuPhuGbXA:YA2hESwGRwg3TBPi7BvmZmwZGuyQ

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/memory/2384-372-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2384-424-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
2352	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0fb0fa0515cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d29beed2c09dcb4f8ebf11fad9addae60000000002000000000010660000000100002000000008d3c5959ca35118c8731985622125cb167fcfee39f5741c08458dea4f12c975000000000e8000000002000020000000a4238975acc0b6b9843489f80475985aebd0d61a26ed4f6298719ef4b3d6b65390000000ddbb0533a3284b78c05bf5a345b2fbd075eb7dccbaaa71c503c03903d9079957920e61f8f1c6eead40c726a37df43ecbbc46814be301aa3d59f79d50e3a2a24d0c2e4c4af765798254214f8af0e15e046bd6f17f76ba5ee6e202b46e66b57d1c63f833ca769825d4ca251a0f88d0d284704fd69e7722b1e427fff1946cb0cfb9468b133274a126c0a0d45e9af7c6fb7a400000008dbc6486bf5198ea88447abc05fbffffa9dfb6d1038eda15e1a00bba26548fd6775c79c30ff10e0fe8a60bb595a12431b65292f1fe4de0a21271cba4b90b7832	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d29beed2c09dcb4f8ebf11fad9addae600000000020000000000106600000001000020000000da77687ad89709b3710a8c4ca397f5bc9b4e4489718684ebf54d0805858b8275000000000e800000000200002000000072ed1fcb1a8c83992a905a75b352f967609d1b324633f337d80e5593c931179520000000ec349a3d5edd64ce12f2ef173be3e476d8017c99a0f23d0aa08035badcc3fe1440000000a25a84502705f8b5fb2b7c0cb059f6fc8e286969af159ead0d821678a7dd64953603f949b6f38fa76156c55e3cd19a1929c620da7bed528772b9ccd4f6f9179b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441900194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAC8B041-C844-11EF-A7C8-6EB28AAB65BF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2352	2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	30
PID 2384 wrote to memory of 2352	2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	30
PID 2384 wrote to memory of 2352	2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	30
PID 2384 wrote to memory of 2352	2384	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	30
PID 2352 wrote to memory of 2760	2352	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	32
PID 2352 wrote to memory of 2760	2352	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	32
PID 2352 wrote to memory of 2760	2352	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	32
PID 2352 wrote to memory of 2760	2352	79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe	32
PID 2760 wrote to memory of 2648	2760	iexplore.exe	33
PID 2760 wrote to memory of 2648	2760	iexplore.exe	33
PID 2760 wrote to memory of 2648	2760	iexplore.exe	33
PID 2760 wrote to memory of 2648	2760	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
"C:\Users\Admin\AppData\Local\Temp\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ninite.com/error/?source=fetchapps&code=192&message=Could%20not%20verify%20signature&error=0x800b0109&version=0%2C1%2C1%2C1183&os=6%2E1%2ESP1&key=8a26f082f8f084d2caa26459c1df61c01bf67897&date=2025%2D01%2D01
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
ba37556cb4c8fbf3cde017bf8ae2abe1

SHA1
9cd74412335f2372bc7a24212d5b20ad418c40ce

SHA256
981fcadb4974dc748fd4dfdd9d0e3895a671fc334ecbcfc31192c9bbc11f37fa

SHA512
368c334fb832b4405c7fc551483f4d0c42844a714d7c0b27676f5179fbad866ffdabdc8806a00cb5a76dfb9d1a45a09b188c1e2b5ec9fee57c890502295eb07d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
202c1cc2a941ce65e6628e4d3d10728a

SHA1
3ef8700d23bb82f2e5a3043350d9fdbe13e005c6

SHA256
9153470df8ea66a9037eb771e8a4bf208fa7eed8ea4148d49121a75c9b960ed1

SHA512
621a92ef02b596130e31e9fbd4929736ca943a56380a26f17a412761d09278ec32dccb534f8112729311cdc74909a42d3969994c75b8c676043e23c0a5f3c9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
90455a34f243e2def574e809cecb65c0

SHA1
a1508a72816b3e74063deed6cb2255547eacc470

SHA256
7d849e06bbc9b3101df1c46e53786de52ffa20b8be2ed7f775537857a4f10542

SHA512
708c6524bb2bff3433da3ae3b5ec4f99e30f8765b1989502e616120b9e941d4880e47a20d0aa301c750e871c4424b44b37344d50b3642b19e1570f945ad6ace8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c22488ba9d2c13386bb28d6de902ce97

SHA1
c4667c5d70ecdb8a47052198273ca5c7d540d39a

SHA256
97cb478650feb204892fe946308b59dd7e45a02d8a955a0ce018760e39cb3f4c

SHA512
3c48852fa5cd73c7cc49ac1a94c89b679e3826f1ce60bb69e299ff478ac5d423059f1e08db1bf44013ad7ec2f2437425f23380e3e5d8f6c306aac6bc4cac1595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
1d92d8242c1462abdfaca615e97ce470

SHA1
0755878a62b75411b80d99783c384cc29babbb25

SHA256
2cdce398f6660fbfafcb1174b11b719744417931d96fbc46be72ec911c04a67d

SHA512
bdf692006a4f0ac9802ac9c01207141df7ec0458e7d94d3894e7feb7dfc3f58997783b844dadd33408cac7e868ce2d71bf47d6281ef04b0f622dae4b08992a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75b817be158e82fe93a907f7167bc64a

SHA1
153ce81613747f8d7c8027713b84d3429a376ea0

SHA256
2e2d6c25a015a1f11de6769b96d0a1a2bdcd04c6c408b8a3b70d1b7926309525

SHA512
d6e8d1d4cb02a2bba87c95313fbb8f7ac3ebdebd31abfbeb203ed1ae5fa6d58860e19215d425db585cd8d3a2b8548dc7ab7463b8bff9358fa2d6a3a9003a66ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23d9596a7c2dacea98a67ef1d6db948f

SHA1
3d0b252ded4102320cd15a5a1ddcee8887541c02

SHA256
f2eb0616a925452c426f283c1ff427310b2a0d26908472af0f2ad66789edb244

SHA512
7903e7ba3ae9d48673a93181b047b832162cda647fb47d054bb266d2ca07ef6df8c6c8f332e75d73d0bb4d473d161e13b7bbe424bdd68987eb4e65843ba43299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd7e799c5ebdd23e836c7ffce262247c

SHA1
31dc5bf42798063fe8d78f2a7107d470455d7599

SHA256
c6766a32b063ef782415acdcbeb22bd9aedd77ba0096163001927d78f71306cf

SHA512
1d57cf81c07ba03cfcd3a514263e381903030144368ec285f41a4874e336d57b1e58affb210f1c7c9565742c7f8aabd0b9d1f020f7eb95d382760f0a3b67676f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5acd5019fd4abf5d4be103a5f040063

SHA1
5b4c55f1bab64a67c4cb423d9568f896b6b7853e

SHA256
b465b64e901a19ee843945635e2dc8621467b8da17c2a12369f816a5db73e096

SHA512
435114b05c59e67763123ea0d6a5861340824aad482e7786c19480ee73a999ab5c113db9f7b51bdd1a3a161210d7a7b1fea78691e368e72ea95bbecca7b60f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9617fd909f2d4d83f99c176d09e7422

SHA1
85f92f5a41dba41c21a6c25017fe495c7bfcff2d

SHA256
728ee958f1aab9c3119c8e43ebf8b4c0a9422039693ad7d2592c01e4d2073e95

SHA512
e7a2f0a678e29d1aeac3b9eda33ea547576c711109d0994b404245f0a66df407e3063aaa6f9c37fe82df3e607b1ab70351929bc2fcf1b3358ff9a5290319d687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6106ed7aedcb77278f22695f56fa450

SHA1
c31693ee00cb92f48025b00499474d7021356fc2

SHA256
25671a38494fc2c03fc7522d04b875028a06b2ade4409aa497b31f5c2877bbfe

SHA512
497119a77bb8b6a8192dde1e1ab0fcd3f431fc15898d53e541b153faeb2baf09ba23400f1cca02431118f59382aed1f8ee829622b05f81d6a4049e43d09c4a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c7db908aff18f079ed10f4cb2a959c1

SHA1
e7fd77f3f0fa8736c3679a8dc15331c2383ff8b3

SHA256
453b892fca133ac6dcf0c3353b7d461c96e9ffb4bdfe7ccf8789b7f70e1e59ad

SHA512
fa6b6fa90565d724e421bb311cbd4a9c78b80c607b8c6ffee361ea62369cc17f4f0ffac7ff1fac37eaf7d4ef5448e4a6a2bf8cbb961b17566aab037c3fcced9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d27ac2dd6e116627f09b81c0f416311

SHA1
f88b883699e8de120285dae3b0ea58fc9ca3c6fb

SHA256
2f0c5948b99465543ed57f74af7580fd53967de9d5ec3d4f9449a5dde164cf47

SHA512
7dc8428df54d1e81e9011e6183c72ffea59bc1ddbbd268328353cead61e881d2ee5fb11340387ef5508c654de3be7d873bbb63ba1798220a505e66821b4b06b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdd3892e669acb12ec31fdb462504b77

SHA1
e06191ab96585c5d1fda81527086e6f7a9afc7ed

SHA256
8beb95c23890c305826f1f2b7d062ac1a35b082a50fcdb3fce7a7dd243b54c83

SHA512
c82356b15e4e3e0a85f935a8fc9eec3fc0146cadb85da0141ebcb0f8c392fe50a03701d0c68b9ee3503cf9fe848dc38c9112aadc274769a08584d84a4d8d797f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56358bb42999f74b67b36f0c051a5ae7

SHA1
0ed95b49c4bd8731d089ccad8a424f1938bfbb68

SHA256
51fd08f522c4e1357e07bf7b208afdfd63e61eda8ecedf13d48938013bc1cb8e

SHA512
63f7da479007bb87d0ac6a52a086e136955193dc56c6746e0347828147e8f247f93d55460836479cab2e85c9175828481c427c0c75a5ca4cece3bf2adc125f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66730fc3a0f743d566067561645dc9a3

SHA1
fb6fdd7f73407797c471cae44d70f33bf5453653

SHA256
ef2907bfece75c390a103ffc40949c9a6af7128965bd7bc20ddef4d22b2e6e60

SHA512
8fed4e927f1f766cc32f85943056ffb4312a3afc1aec8b1c3a50cf876d07d73f48a8b3ac03645011d94a84a7ac9e4fc6d57a01ef10871315bfef9fbce83966c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed92a8cc6a56aba519e1451b0f6f643

SHA1
f2225ed6a2e49578d80fcbfce655406c7ab965a7

SHA256
1c90411e46356408264e908fddf2351f021a83ceca3af4febda62b3f88113997

SHA512
858583db592e7251fa2c5a50155df7968a036fc614cd09ccce0079d3c449e948d0f7af733c1cf46812dcc23edebb0f70c81bf48c8f5760a2140708015a7cbcac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f6f6b3f1039643a5dc3fae8fe6e3dda

SHA1
82058a6f6c1a8ea7b2e7bb6da06ffcb5b3053f99

SHA256
a86f6d6102fe89d93cac0094a1871d2bcf342db16e932eea9ec3f7895d1930bb

SHA512
9a151a2d37b761cba35481e8e201c0bd3d3376a8f0953a8673d585dd7d3a32c5bd45f2314a768c775380c95636d8eca0b1d02721eb5646e25f10a66a7d2b1556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04bc601d7d5cbda916e36e66ef50f57b

SHA1
9b785b3684bc20e5450824ed0393a9e419fb3627

SHA256
262eb9dd3d5a09c116425a776048bbff011ff1537521ffceb6f3fdfb2373cd6c

SHA512
dd7ed2c56dffc809c1433a244d5c0700b76de5b0f13e0cdfcc36d917bbfa7b7fef3bbdb423147688069c21d79f9cd907af225f61888707e97b79904d08d10cd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5c9178fc7500f8794fc0ca07c8e6f7f

SHA1
8b883d20957067dc6eda9988ef6db203790d1434

SHA256
5c78253fadba1d91f06241689b29fd846fd58836c688e114ebd353690e2e3bc9

SHA512
7e71e8fd84893638f2fdaec556fc88baf965ec0fd45b307a69febe8d77a62959dfb4ebb6ae203ebf15ba07c7629c7b409f69a0417eb93d667e2d2e2175fec334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b68b94265214624dd6164dbb0a1e27e

SHA1
e90834b96ae49908cd52d5d3b0b0376b95194abf

SHA256
85d742414a5a93d58ef1707fed98b8c0d1b2c7a8ec505b79156c11e886d56efc

SHA512
6cf7ee2126d8a0a8aca3d28c4211ba48fb41be96911fab7c286b75ce93505c60f8decf15c41c6ab84c9db42485869865896e0dcb8be441556f23b71fa5229e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66d231c5973a264cd20b7e83197b02ba

SHA1
fa3e401f07637c9defce3e61bf3c32a1c2c7a7af

SHA256
03c2e522d6e7488f662328c442175316c913b1520cda811468bf5ffd079f31d1

SHA512
9e1e74fe51ed186c9bc629f0c9c86a643e7d97b98d2844a29b73795064fca7a6832529357ce165e58ac0aa713977cfd6056c6a5f9db3b8ab277230abf897f1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b064fdd1e26e427ff7d47690c123710d

SHA1
d07b9b799f66bb55b0657305aad039d4b9d071a0

SHA256
3279a509f720001dc1a6d5cedec69395a2f189cdf42b57b7835efe8a7f8dab6a

SHA512
8ee141ffecbfa6b6ef2d2d1a874531aa07f9bcfd8e73b2b431bff837fc3195a059fe0c8a51cebbb228ab7b2bd68adc2d818d45103eaa0625e370e2f1dbe778cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c866074b61fc3e1937359c3bfd41cf0

SHA1
96a68705fdbddb1769da476e48f15633deeb129a

SHA256
804acb1ef3f67ccbebc837f4da540cc9d5d4f0ebe9e45cff4dca4b237c44c618

SHA512
5e5d6bc5de70fdc8d9f01b05d89a70826c7f9d0c3f03e02656dda806eedd88d16390fb28d90409bd9cac17b945894bb35d76400492f282375dbd2e7c508aaf1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4354c02fcddad8310f79956447763d4a

SHA1
7b4c11fb8aad72972367e7f1cc4428c2fd153669

SHA256
2a8af6564344622ace57df2264a7be27de74da5a5c394a7705b518bb8c4fbda1

SHA512
4603888b601eb2145ca3910b3242eef1d38be3bb73a4f0952afc222a7d80fa057955e7fb3b3c4cdc320306993f44a1cfd7e7f76854ec950fa1da2d6ed9362a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80ba7e3023f29eb99175bbaed3befec0

SHA1
c9ce7063f2a0c549b99ded319f8c58163ff6efc7

SHA256
a0b6ba7fb12e225b3c5b5e7b74c21bc5c5906c5448f8a1e954582bdd47ef52f7

SHA512
30bd811b3ffce98bcc1e91ce67ab460df28fcb7e872a22d36436f3081d13f93cdf04403235221e3baa3d312665727c9c4ab39058ce3fe8fdc0e7d355896d6909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9b3da14dcd5c8d32af5dbd7d536b627

SHA1
a6f58b4bb5eab2ba1d71b62985794ef848f9c764

SHA256
e66b2e648fee5b639e9f19a17141656f5b5d11e952fab6ac35275c3ed5394ad6

SHA512
e6c047ea171f5798e4a719b0ce5144d054f3297b75e6a8120a4ff57c11a4c841de61fc6d7eebe87017129b90a8a5a9f5406869a7ac391f773b6d219482185853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65ffe7f8dd0e53e8c169ec7308af34bd

SHA1
e78b2a0d772f4952a369b051b84d4aaacca3a445

SHA256
7653ae4999a3a26bba7089d824c53082b9d810857a7f136a70ff55582a0da8b5

SHA512
b5c69b6b2b895d34d3c143afc0164ccb17d1ac1ab437dc17c8a181d6737f77c22df0f38015d8d5a351b5e96dec12e41c1a25f5a0b0474a6379af982e8fa4060d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
621ee8a2707c63edd25cccb5ab6e80a0

SHA1
d7daa392f0a087b43d6ba619ba71470e8ac5e54d

SHA256
03e57cb7dbca23fe2d78ddaf458d4229505a1464fb22f2bf082897ce55a5886b

SHA512
bb9cea9d0cf3f7e9c0500d12a09eabfda4b6394c18cb954e74eb9b156d9c8a4f5beda33cf3798f953c07e533276092486e34a9b9ee6337cfba82c56b58028c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ac7e57f0c5b3629e55418837193a7e

SHA1
e7db287770ee81e5b8c71f409bc0244e88388a42

SHA256
36d992ee864433d3fe2690c6690d77e0ede9c21dff8476f3412b20f6c16a2911

SHA512
0211c84783ebda13af85caa0f4e4c2d01e5c730fef257a7fc7819c29c76ddc0160e41835bf13e3585cdbafd3927f9db4063502ab3b5be7f7aca15b4b7d0ee1fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0abf9a043b6b186b6b4a63682fe124b

SHA1
8014f7dd3231b6ad3326a7392b9238301a1272ae

SHA256
dbceea588109828685dd7ddc4e66d9b8099a05e50857143fbe44c468fe640b35

SHA512
fd15d6c6010a1776daab8f9c3fd28d69e46d769c1dd4f50dc4c7c36e8dfb06ecd70d88d5dae62723060617417d9f7a4ce4a4b7e3d8ae84fcff466ca8fb50bda5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
a915f305ddb85e2fe0a87bf146c7350e

SHA1
9dceb1cf7a3a7251f10b31ce1b61de930389e1be

SHA256
e6ff0b30a40034bede6c0e572cea10809f1bf1670558c40831af8879a40fef75

SHA512
102be2e5a4c4059c35b929fa54391522fc9f611f74ff4c3241b7aaad64b3648e54404213d5cec33b7c810ca2235991463921a49de004fbdc03937ec0edd634c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
48721c15924cdaad71da02085497112f

SHA1
bcd68abffaeed9d4a0e529a9f635ba0696a04248

SHA256
f5527d3e5fb57656482fbfcf5497ad750ec61ef026b01c791555f312d18db0ec

SHA512
01ced36dd520376b6f92b03ca656606004b211bf842ca827ccdeb07efda50821722b1daf0b2329f69e30786780d5af20016a3f23a431970522db1e1d3634099f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
24016bae43747019458ed0337349b075

SHA1
1b7cd327908befb85a132453de83a7ff9643100e

SHA256
c9eeb5c6779386e3f93bfd4444be76d68b5962b0ade2069500e7410079e3ade7

SHA512
15fdd73d1a5671f6d4f38258e1594428f3089a9464d2d08a5a2fd615c25cebe880a13e626f122b2b2650a6aa9b8c03e53ace1c873cd240b6bb0e2e6ef54e570b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
1KB

MD5
237d0ffa79f4ac95567b456cd5385267

SHA1
f1d096c46da7f2b97951adb680abe7cc73e347b6

SHA256
89d61790acf2ebbcfa3950b2807da4be013daea189a218430a4497aae9264b51

SHA512
cdb8bd6984dbef14f30a640f87dd64bfc0351621dd0f148e79664a9d1c52c33e6bcba1d737d2a70216e0851d2d974580e28374b410f598c04d55fbb9cc1ce689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon-50c60524c110e749f013a1ca48f80b80[1].png

Filesize
902B

MD5
9882d7ba1dc468b46bd2025365097169

SHA1
7c156162de11c98d276a1ad874bd6fb936a44575

SHA256
7557e0990d6d93912e30bf22e985cac709751b5d4425a3366332d42ef1c1c211

SHA512
d0aee0b188883f7510273ec77f8c9e46f0dbf0f6c9766694a092c1bb192310c9242a7e734ea3b592d245688ab368122b36b6ca84380d5d0fb464a46e270c2ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA920.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\79a593392281f2c32bb292cdf5c2f496c8e1070168d423decd03d9e4da46c5c1N.exe

Filesize
415KB

MD5
9a133ccb5e42ef63514559589158caf9

SHA1
9812c1a3c3a4833157ae4d8af5ca669cf9ef7e3a

SHA256
cc976278eff6862b1d474f7f64cc35335612211b3f685d27a67f59f90d250e28

SHA512
c8ee3bb7e20cd32fd30b7a93d8dcab4e120fe6300e3599a3fcad38e2fc582066e2345894c35035ca557dee4994b0e86265d66a34a1a98a09bf7a9e235825a19d

Download Submit
memory/2384-424-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2384-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads