neshta | eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7

Analysis

max time kernel
67s
max time network
75s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
Size

665KB
MD5

f593f40740b30e34627808b19938ee90
SHA1

aa2e5906bc5db346735d6e126f5e037f78f4560a
SHA256

eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7
SHA512

a4546dff261dfb3dc1d924fed651a5eb43822f0bf066d85962c0006a40901d1e8d77ce56c4df3ab90109187db533da2bcf081ab72960ef59f7f94d5ab298e4aa
SSDEEP

6144:k97UqPg/wobETHTxGmxUceE4wenHDBXR6fAAGIeoclMra0nFe8iSQz7/N2U6Cctt:GUp/wKaHTx3UciwOse7uhn4TFN2U6Bv

Score

10^/10

neshta discovery persistence phishing spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-13.dat	family_neshta
behavioral1/memory/3060-220-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3060-460-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
2388	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Loads dropped DLL 3 IoCs

pid	Process
3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "12"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "12"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "27"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "61"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7c29d6f7f61624bb446410036ad1594000000000200000000001066000000010000200000003be60d324a0cd095195b826dada7e82629896b336925d013bf6415849a972e5c000000000e8000000002000020000000ed970fe43cf38b581e5fb8858fa788681e354b42809dc8d611c18ed477aca8029000000059c237a98471e90f3f46db76928ac7f91fc4a7b22895f49698738fab7ab956f15921ce1cf557d87d7f3ebf8f34f46b878d99b2d61a884acaea893d670440f094b1d7bd9ac86745df22e6a2612d10c7ebb477097f2e241f9b6d8e209731f3d774b4880608df5d8b98242c2e739f3d9bd9636ece303a848584746b525427b546434893c04bd502fcd1bf3d5bd09bd9a0fe40000000ea6b5071361d6607a3e222fadcff3c33e22172afcf92e1b23ef9403809e014ff5e094fc0c8950b86bef43c0c3242ffe5d5fa9c0c3b480bb8ab03e85370d61640	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a066db910b5ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "27"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "61"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "579"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "89"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "89"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "549"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "549"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "89"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA543D51-C8FE-11EF-A073-FA59FB4FA467} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "61"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441980053"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "549"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "47"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7c29d6f7f61624bb446410036ad1594000000000200000000001066000000010000200000001d2440976e62a64c5e3450961ba533fd6e29e74748cce9afc247a8e71e20bfa1000000000e8000000002000020000000fd4089033c554dc86f0f0153c3bdfb36ac671f419b82f85c67fc4baea4c9be9e20000000e1a38935b95dcf0b689aed497511d794db9c12f626a6aa655135a030c0354253400000004cf68cf437b894ea712b215780ae7375499d90071b8ed79dc55c055fb413ca600b283bb57d7b005fde1ac874310c9b66ad70f8fce2522b86bb80fee6810aa724	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "27"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "579"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2392	iexplore.exe
2392	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2388	3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	30
PID 3060 wrote to memory of 2388	3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	30
PID 3060 wrote to memory of 2388	3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	30
PID 3060 wrote to memory of 2388	3060	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	30
PID 2388 wrote to memory of 2392	2388	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	31
PID 2388 wrote to memory of 2392	2388	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	31
PID 2388 wrote to memory of 2392	2388	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	31
PID 2388 wrote to memory of 2392	2388	eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe	31
PID 2392 wrote to memory of 2752	2392	iexplore.exe	32
PID 2392 wrote to memory of 2752	2392	iexplore.exe	32
PID 2392 wrote to memory of 2752	2392	iexplore.exe	32
PID 2392 wrote to memory of 2752	2392	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
"C:\Users\Admin\AppData\Local\Temp\eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\3582-490\eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ya.ru/?clid=1961774-1
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_6BA9632DDA5E7BEF7185565C8D7852D6

Filesize
940B

MD5
5486bcdc5df549829a18b29443ca78de

SHA1
ba77c73b9eee9fdfaf20b98b52442606990980e8

SHA256
b94e2251e77e5ce0f8e9740a309e40407efb2b4548b3730615471bfac65fac00

SHA512
f3fb0b1e53bfa8b1015bb4f929171a9559966ef984871eede7f18871e680a7f2d83bffb81412d1ec586075f455c3a82d51e25014626f1478ccb6e954ce40bff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7eb781cb346081103687bda88336fdfc

SHA1
fbb8b573608a976ade106658219ce5c40dc67019

SHA256
1c2759ce233271309c311b7a7a70c0375f31dc074211c81dfd021e21f209d461

SHA512
f69e269cacca913622b4e77019c75740c08c20c5901e77ebfcafc20470d9c4ca94cc3682639287a4a7193f0b328104f9a788844dac8e788266ce39d691a9fe79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_6BA9632DDA5E7BEF7185565C8D7852D6

Filesize
524B

MD5
f57b84d164b8228d5638b6080650a4eb

SHA1
678a1f9e56242e8e53d8f50ff293b8735a8b59fc

SHA256
f071cd952641a15a435d178cf553888d2137d72f094fcf398ecfb0a5a97426cb

SHA512
b819f43deae07fb0fc14d40fe19f00789f86e6d728ca4f19a80c214a390fa497aef9736429ad24fc634fb91e7938573ccecdfb9901811669247b280886593f7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87504caa4687b4358b543652f8dde439

SHA1
c94253ff6aaaebed9d62696ca89a1ca7a264a5b2

SHA256
3c1c19248c70046bbb3c5727decad5abcadebb44c278744a1d7e5a5089c21792

SHA512
9642221e340eee5227744da5f09f1824f831b563232349e83204d729b45aff9a2e931628d1f85ebb0bd3c222efa3dacb6fd9f58f74b9c866f0dd89974de7b858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06e894bf730dbfa70194a4d4784764a0

SHA1
538315a475a023434ab3738b25b4982a8d8e905d

SHA256
0bdc1fbd3aa81aac126cbed05ded9b90b16f3f1ea42585b3fd1c5706625095a6

SHA512
6ee52d6ac4c74aac3f9af95ee6901f0334908fa6f2aacabe2e5cdb0afcce8a519bc57e94b97ebd82e97c97f6e10de0706b1184546fa7d6414c6e839e695e594d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe198bee94a18ef1997f1cf0c6704ab

SHA1
eea4769c81115c63e62e0b8b13e12be3e4157dc9

SHA256
6554ad536c59acd09654f77b3091bd0c907ef61aa563caf6083f7ce4332b0b0d

SHA512
d9fbced367a5b9785248a2619ad12390980c8bc3d205f267b57d2ef40de95ff21a51aed1b2e22754f6c7c4b69337db343fb1dccd261fd97fbe7d940fe81ef15e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90cc7aeb541721e86d81c10604978bb9

SHA1
125d6651cdf3746669df37811a025d52f4c97855

SHA256
f77de31f5507d00fa4083ff12203303d1e3cda74164fe6a568bd7ee3dd52872e

SHA512
66acea89bc4aa5340f682375bb4c80ad6ae958575080a3a53bfeb34582f0133ff356df2d7cf90d9818a443edaa539573077a1270eaae4012871aa3f8c65b3382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6b10934b16e824642943eb778de9793

SHA1
0177e76b469f4932534ce5cc8bb82a38ac618005

SHA256
027de0c7e2dac3041416d2b7924080880e9c5365726545fbbaf897681a42f85c

SHA512
b0e1b4967ffcdf63b887c162021059cac920a04d9eb72ea276b7c40983979d9bebfc321b0a536f9c418617cf672a5413fadc7a6d4724846ca9fd8de5c3ed6a71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9619b68e2bb8691b12a391f7c665cba8

SHA1
0c9da85e5cadda33c33daa4765acf902b71df28a

SHA256
42257edf5c135235bc8c0c9920f69164fd5d802920f2bae7f83dc7d12099b4a6

SHA512
e57582fd830570f20830b686220c135ee29577421c1a1449b3c0997bd77e00919c5ab5d84599531279dbc463cc4068ef04f3ba68ced200bdff4530104d3cb55b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c30d3be87e3afc9a1773bbe5c1ebd4c

SHA1
ea0b0b1504a841321d3f42bcba6991279de6d990

SHA256
84b801afa16d31e7a17b9b81255534b82de8d64273f7e2ed1d8f13286b1f93c8

SHA512
652c6d3e8f0c13d2d86777e97c40ab9067596fd0511654b84daf182a95cb598cfa2151eeaa7bbac896092e756a5a80850c3df07a7a07ee143ca4a29d80b900a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea498b3559bf7282e185a9a1f2db2749

SHA1
9c6896a47e5b82595f37ae60159622aab398874e

SHA256
a6b0ffcb97ba8bd46d240d6129afbe5350130bfe10ff3363616259868bcd264a

SHA512
989ffd1e9758a5952dd393080e94480190e4eccf8168bfabc737ae5bd48b0b6b0a6a103bf15835fb3d384575043b486b62c30878789ce7084400c51fcc616cce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b574a0f6150cde67deea12a172e4698

SHA1
89b26ededddca6999da974e24775d4bf58541773

SHA256
e4a175a3ab306355028608627e0053716d5c4a4fbea8eba756c6971860dae180

SHA512
f876bfded05297d6746d3d8d5cf620ed76b5973bac8b48312bd6be801544116bf5fc90a95ac135cf4f4be4d74758b69fc2724e3c94e1c16fddd4fbbfa4b373cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82c41f6c2453d634caac6828ddace4f9

SHA1
5fbb7393eb15646dbd053ad65ccada2591893be7

SHA256
6103c76654ebc44b6c81df19ef8fa6ff708b1e3788bd31e7c2575dbc527fce2a

SHA512
4927cb87ab00c18bbd9130b8db359432f459202075f86be60fee532c671ad68dfa05648febd0bb8dc29f7fb0c8f98304a0be392150af5122ddcc79519b350807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec166dea1ee24b2712cef013d0ab96f8

SHA1
4480c5bc82dbf70da4b5d703301ff868954a393b

SHA256
646fef1d4b72346247148c43f6f0870b323298ed347a5457dabca93952b3ee19

SHA512
e41f4df5ff79f115c202f77ae022b505dd4eec6b7362b370da10140c43ba852e266caeb9e0f93e6638ffc810d4661ab53ba8ed8731560c15de1451c2b112766b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c284b81199a5aa48d36a2d32a2c560b

SHA1
0108c76a2b47aaf462ca8b0a274bf5ac9cd9d187

SHA256
41ab3765de9552ec5770436f43db577d042a8b0b4282a6a0581482a20b8de519

SHA512
ad14e718ff2840d77f686c123bec71ea867c4fbc35e297a12a07987baa0299131771678a3b118202552e809cea37fdb5fc29ea42458b9ee7d343c501c6442451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ad5cc3eab9bcd46cc1781597076fdac

SHA1
05f253a8a30090abf890ea2151fcc920438a73c7

SHA256
26e9574a418b4c6aef2d85a9b635208153fca8e292cb1f749636bcc3952b572c

SHA512
b7ef3344c777b5a9a666f39215ac2b5f2165924c36b34927c458c15a36451ebf7b605d3e1720788d3c3028d9ce1c4cf9f6637fe7a2a34076ba10880b330411bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65cf3c65c06e3440d2ca14797db12e3a

SHA1
cd117de6ed9cf23ebc9a89b43cd4de87a73a2694

SHA256
8dd2c65275f2e05df5fd10925cb132435924c5e6ab8f120f0d1089df3aff44e0

SHA512
af389899ef85379c96b17d59954804cce6f94c0b0fd09f6d3626bb28147720d3e91c40171f4545e835f324cc521a2f4a17a6018be6c34b60e3609233a26d90b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30bbf613277984e508b92632756314f4

SHA1
11f65885f1348a2f39c060e64e0a9dc2b1ef04aa

SHA256
dbc91c0544ce2d07968051aaa3a261dc0ec4a7f5ca1965dd63de1b2f817791e7

SHA512
1d5e600360e9c414e46764d0b1d40f71ac71161efd3de7cc3a1775e573290eabbae430a227dce33fc88af7231ba04d8ef7c7f4dbf1460a6c484e720329af0ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d372ad30d67dc2eb08f7db84b26a0ba3

SHA1
78ba84f3ad3275993d084187f2c685ec593fa1c2

SHA256
08f7453bb8f9cce118d75aa92634d1af617c1db8ee34cd10d13edcf8610fa015

SHA512
1a09fd20922b82907e4c1bd19c1ce1b664f824fa3f1c9cad1357f2bee8a0a09d347f59bdb4acb8acb1574567bb86db3a766ef7d8414284277cb8d1834470465f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8338e86e10a7ff1a04f585dab333622

SHA1
418ec607913ca089e42bd97f3626cbd1dbed5775

SHA256
77ba5961254350df599e93e8e8b20ac4bfbb096406ebe529c235ef1c7cfc42b0

SHA512
fa4526d492a27694161a343adda240fc38ffa3117bf191ed9dd852a95650cdb3fb94695714e3acc1b7ff76687fe093a9e78de985c6e53983b45bb607c4831c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2ec69a050e11e6424033ee2e209406f

SHA1
2004cc7a8efdc4e65178ac9f6b060c13af3f850d

SHA256
b95c1ab358e5bad32ef6ad7cddfadae98b5b315ef64bb760a9451c75700fc57d

SHA512
ad6b698d143f6a08d1232fdbf0e7e8ae3f6ad777e4406c7c7640c6f020ad36b01da1a6c5141971f99e604235da328f0d9d7dc8a4385ce09df189405e9dea9bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11396481db03266f1513a22b3e97f0bc

SHA1
0e3191ff051958de57542cc7e530830e7b62af3e

SHA256
0c94720e70daba52b95360dbfeb2ced6f74478fdbf2d07eea53ec66255d762c6

SHA512
7a999f549e5e8c105101a80c1dbc9c08e6ea3eb49dc6d9898b2727482ebb6bac17f01087a12715eeaaf5089a5bcc358a418ffa70a789d8fa49315fb0260cf31b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
aab2ee28576952d1fe0cb178f1b1b733

SHA1
2f043fae4643983efd8cd79e3ce0b23a36e4a154

SHA256
d3cedef93cc8d556f30cab2573740f352cab521f35f42de32d54f49e16175d7d

SHA512
702d3040c75cb58a68d77730daa0d1c3a2e196c9ab356646ff8f3bb2be9a7a2e2e5e5313e5096df47dbbd83d70b33e1ce5c6e65d7944962bf0a09bead9c55538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TFHBEKU8\ya[1].xml

Filesize
86B

MD5
9297a12779f09a8c2ea3ef9e38383cef

SHA1
4d5b49c0da9ef9825b71ca217abb73c7a2272dc2

SHA256
5a88dd46e6cbf787f6d6220cad8a4d4715212b64c1a117823ce91af907ff2d48

SHA512
f94c7b889f671ee54eee83f025d979df416960d343113319bf8cb8cd588fbd3ac1784aaeb33672ea81219ea5a61567343c1ed0e14c54b66738eb3ccdfd0a7b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TFHBEKU8\ya[1].xml

Filesize
417B

MD5
1e277192c76b655e7a42e3e920b52848

SHA1
52a1a40997ffe0560648d9598e2ee65f09535983

SHA256
3a3d8d4633268a0613e00086160183ca3fd95cf2f0a611d34b79861f8a1f5111

SHA512
91781f61f8182b7ae7ff5993d3a963e4a37f18d895850ef0f396d313cf129b03f9a0dd4e8a313087288901aece0f46309a94a2d259b197d13a1b34a670f2d924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
597B

MD5
6c8af7b70815a7b910710c643685cff4

SHA1
290b94dadce3e9151d40f5ea85f61eaabbce5612

SHA256
4890b044aadf56a67949e10f5ed0b0535cc9e2cee688291045ef88d06606a7d6

SHA512
fc0cf39c9892837f78f22b433e71e9931eb5b32ced43bfcffbb8e64ce136d96abff5738b63a6c9903c227977b8c90813c0010e5cb9baa19a08f8ed361066df31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\213b7d745e28ebdb29d654ef909665d3[1].png

Filesize
397B

MD5
5c336a88c551e6d484b80bfe7d839457

SHA1
e777044cf3cb2427f53485015e7009cf00e84dfd

SHA256
0c222f4e596fdd2b9e7f04b8076c3697657d6f9bc2d56e74b259a546c88c7a77

SHA512
c969ddc9a34a5cae2f3cf3c360d4895d3cbae46dfcfbd35ce08e0d8b41a8d9c0d2259bf02658f79ed597f9d03304cf4f1389e0b3dba0572c6faedd5ded60817c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE276.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE277.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\eef73af859c16b902fac263fd2f88d3f51e88845f81c75d732f5b94d3749d4e7N.exe

Filesize
625KB

MD5
5c0a50045a80cfd5fb8c2b6c70b82e32

SHA1
3eb691db9dbbfc8fa1fa8d15f10099e72ee6032f

SHA256
bde1d716d4098f2a93f70199bbe520bdc2f34b039345fbb1414b21cc43ba93ea

SHA512
d137a03d6be08791d65ab3540dbf9bb281bde29301aabe44fc322b94ebd86d33d0175bc9b9f7c63e02a15c9229f58f4a48cd7e25377458141d0fe0da35d496cc

Download Submit
memory/3060-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-460-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads