neshta | 226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
Size

2.4MB
MD5

0fdc3996051a77f181c1da5b3f2e044c
SHA1

d1c3d8058983e1a9b98b49cc0ea0acc07fbe4a3c
SHA256

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059
SHA512

c92da723f52da08ee5b58d37326e8fa0c9ffe904c06bba2bdd62eeaf307b8e19a3d3e0ab5bddc0fe9f2c7410f3c36adfefab4134a61bf01ade35138436be3e35

Score

10^/10

neshta persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta Payload 5 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 7 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exesvchost.comsetup.exensd1124.tmpnsd1124.tmpnsd1124.tmpnsd1124.tmp

pid	process
1952	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
1180	svchost.com
1060	setup.exe
1812	nsd1124.tmp
1700	nsd1124.tmp
1824	nsd1124.tmp
1636	nsd1124.tmp

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe	upx
\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe	upx
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe	upx

Loads dropped DLL 45 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exesvchost.comsetup.exensd1124.tmpnsd1124.tmpnsd1124.tmpnsd1124.tmp

pid	process
1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
1180	svchost.com
1060	setup.exe
1060	setup.exe
1060	setup.exe
1812	nsd1124.tmp
1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
1060	setup.exe
1060	setup.exe
1700	nsd1124.tmp
1060	setup.exe
1060	setup.exe
1824	nsd1124.tmp
1060	setup.exe
1060	setup.exe
1636	nsd1124.tmp
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1060	setup.exe
1180	svchost.com
1060	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe

Drops file in Windows directory 3 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exesvchost.comsetup.exe

description	pid	process	target process
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1100 wrote to memory of 1952	1100	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
PID 1952 wrote to memory of 1180	1952	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	svchost.com
PID 1952 wrote to memory of 1180	1952	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	svchost.com
PID 1952 wrote to memory of 1180	1952	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	svchost.com
PID 1952 wrote to memory of 1180	1952	226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe	svchost.com
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1180 wrote to memory of 1060	1180	svchost.com	setup.exe
PID 1060 wrote to memory of 1812	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1812	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1812	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1812	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1700	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1700	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1700	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1700	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1824	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1824	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1824	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1824	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1636	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1636	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1636	1060	setup.exe	nsd1124.tmp
PID 1060 wrote to memory of 1636	1060	setup.exe	nsd1124.tmp

C:\Users\Admin\AppData\Local\Temp\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
"C:\Users\Admin\AppData\Local\Temp\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\3582-490\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
"C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812

C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
"C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700

C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
"C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824

C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
"C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp" "C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
Filesize
2.4MB

MD5
12bfed40940ba9d68f463a79ac394273

SHA1
dd3e3ac6b31a961295b195227b66d3b801495fba

SHA256
904502eeb1bff57b678757add34daaf5708e3215bad99b438c97c18b95055b2a

SHA512
c7ff0810b6e55c2e0719330d81463324bc5f4eb817c7d71bf90b978363e83ab1c679928cfa519216fb438b2860275ef3d3b63c737db1632a4b388ba763fc9b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
Filesize
2.4MB

MD5
12bfed40940ba9d68f463a79ac394273

SHA1
dd3e3ac6b31a961295b195227b66d3b801495fba

SHA256
904502eeb1bff57b678757add34daaf5708e3215bad99b438c97c18b95055b2a

SHA512
c7ff0810b6e55c2e0719330d81463324bc5f4eb817c7d71bf90b978363e83ab1c679928cfa519216fb438b2860275ef3d3b63c737db1632a4b388ba763fc9b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudio.inf
Filesize
173KB

MD5
78b587a60e83ccbd1c6a1d3ad2b92550

SHA1
482a43127d4eb5df954922586dc6d23ddbabd48e

SHA256
3c8a4f9ca27c47d6d76bd84c5dc0ccf7e702586ca75c62710e0d966802320613

SHA512
d80b0ed923a88f1a926d7e0f275a8e21cfc9059c95373c097be40983632c9e982b275832382fea3afbc4723f37ef56ea2d2fafdfdf632be117e24956e5813192

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudio.sys
Filesize
359KB

MD5
f8f14e22da94b93feeb86a551fcabb19

SHA1
34aa3a742a5240d6b736cb41150e8f83f8e20f96

SHA256
5c4a4f86e2aae919a940e9b525ddc4f1c57db702f5a2875f32c87d53e05bfe2f

SHA512
2908ea25ac4c743b0dac30a53c9cff966f6f152c4624e0ed91d36d92ee320b4bf7fddf4a98fd48702ac40fccc63fac1ac0d40ba8d9fe670a56c46da88cdf2d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioCpl.exe
Filesize
510KB

MD5
4414334a491188da144716dbc9ec1269

SHA1
a77c8fa6c0213e47b52505865abb11d5ac08d2f3

SHA256
c912718a6026eef1d5e296cc5bc4dc037df87ca61c54ef769087846e3d954b4e

SHA512
eecdbc4b87bca1bef422228f0ec39ff0d7ea3ba373fc02e18527c9db3795329fc934e76609854fc18d2e4a5761c1d490bbe7f9b3386721d768065a35d98e353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioCpl.xml
Filesize
3KB

MD5
01b974f29d9df54fed41a72c85f52476

SHA1
b52f28c180d788d0a781364a876db61535a7f192

SHA256
6ae7b76ddb5da0bde72c4985b7f976c06cfa106d4f6caa4abb7d62da7684176c

SHA512
e3471a2a49391f98a3937fba834bbb3892cb14e162a63e06c13fb269a1d456ef9d98d63b7677dbcd76f17960a0be2990f3f7aa6ae179ba0b2d900df06dca251a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudio_mixer_app.exe
Filesize
404KB

MD5
e0ec1589905410c27f809407c83d32f6

SHA1
4fefd0be666ca08e107c5c6ac1fc11958f245743

SHA256
2e9b75a147f7b5a18b3218785e5d1d70240fc344f4cf28ca5dab5f14d02d7904

SHA512
6355fe49f0814822b4256018b71d901bd60ca1ffa682fa1b9a6203efe952aae6c977483052db5f078437a293f93793caae0c1852756dc8dafd3e12ae9dd36746

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudio_mixer_app.xml
Filesize
1KB

MD5
c6d23ec819d15f00cb5cac84c0c90da5

SHA1
f653334a1e7e7bc9fa6dba892bfe0792a2b64373

SHA256
3f2e7e26f60a7318a619a4b13f4301e42cbd2210dfcedc5b53418eb0ba3f705d

SHA512
d84d1f5f691e4e5ee4260744ca366348ca7a6707aa09366a19b7061c990f2f20352bd7f9d89c95c49b220dea40a338325a20dc3aaa70c4246968154085aa6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudio_mx.sys
Filesize
40KB

MD5
111811e0bd4ac9735283c8f854ee1b53

SHA1
678af55e0678431227f8e9aa5596f754dcd7ccc4

SHA256
015e6eed8b06106b85df1b9bfb2087643b7397239a91862fe448be1bccef025b

SHA512
81cf370dccd52117d9b789eeca0e72523998cc079d62449ac8250084f365d6105ac0e735a3d1acffd3d846e223e5e9fce1f1634649f8258e9003e9d1e3970b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioapi.dll
Filesize
243KB

MD5
06137a852b4b26d3e29e3f813e0fc75a

SHA1
28dcd050547b2d9fd79cf85cee162fd3381f5c23

SHA256
b4b16a7b264ca21bbbdd2aa149aaefdc74fe2a58665000db1b3551fa6557a290

SHA512
94c92153b9c17d7b057d90773ff2877873ea441517bdebfba31840c5c8348296fbec81af8f7f0c341a3066c2b93104c59d5ed888d58c666185b617b3b70502a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioapi_x64.dll
Filesize
290KB

MD5
139e2217706a830c5f9287e3ccf0426a

SHA1
a5a7ebc6aea1af77eb0e760bb2bc7df5298fc03d

SHA256
11ef3166ed386e891d6ad4f23d68255f112e15ee87b18d3606bb222c471c77f3

SHA512
3bc251a0ff4eaf8eb7e4b07c2318944c26e9ee6a571aa57d5b047f583b8e786e60028891828d12025e73d4195e34f7b1b6b63beb388783f42c4b54df1557a451

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioasio.dll
Filesize
207KB

MD5
acc4b1e62d5a77bb441b6a89d6e2140d

SHA1
3f4cc8bb7d6bd88bc5c1ce616578f38f09a67deb

SHA256
2716dfa6d46f170323aec2e7824a3496715146d30dc28aa8db20421b983fbcf6

SHA512
aa79dfbc7079f4beeeb8d8eefa47475cc2230984db869d18418f3473750a1172d670beee4dc0e42808f9348d757a1be3aa345f1708fb6d7e31f9dea097ffd7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioasio_x64.dll
Filesize
244KB

MD5
32e94f070c53728e8187adca1e1586b3

SHA1
b2ac3f45700b784754c83043421aa4b3a52eaf7b

SHA256
95c48fbefc336d20807f14b51d4eefb757ce3bec6e9181a3a53f6798467e5ea9

SHA512
2b4d99a505bfc50ae6ccb41f23f1a79fa32f16608826e4b02fe1fec6dd7c74f3691736378ae76615078ade8d8ecbb257604c30f46889ce3cc6f71f4d320e62ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioks.inf
Filesize
12KB

MD5
729044453d694ba38e525e05d0faf95a

SHA1
69191b4f33f01a6ba551b12591f21080b1d008e3

SHA256
4819b0a5dd4b95ec8954bdfb9371acc8402a9a0416d5e0104d29c7b30951f9bf

SHA512
ccb0d17d6abc7b26ed43b8b62063a20e8c15feb71493b1f42010c6dd7b240987187cbb9590f96521e4f637cfbe6c27d0deaa5abf8b2a48e46563628cb47c1ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\MidiplusStudioks.sys
Filesize
51KB

MD5
21fc32b2463a049811439a4d6c65debd

SHA1
4ef09b198927bd248d4e13c2e4b14a6547bcc2e8

SHA256
372197983f04a17aa8bf668c5d6f67f3b42f11601e7f9c17df719205f63e5af4

SHA512
e0b4ffcc687df378c62c70ef1c58eb1cad40380f57277c35cd41a4f9742885cd2cd7cd8abd2ad854084e361ac6b4332d05707519c1852599ec73d54de099db14

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\custom.ini
Filesize
261B

MD5
e228c0eb8e4a34e165466dc99410ff96

SHA1
0b69d3ef27a57f5bd5333d153f599819e8dce813

SHA256
427a5ed91e9882186aa76fd5e6b6e320e46072d1fc949ee7c59eace7d5255c35

SHA512
3e733b5b48b8496ea7c88b41f010ea75c927090ca71a17dbc2c7e360d8636896a1f8e23abfc74d9722f36e69b42dc546f9d33477495751f9c752baffe5134a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\midiplusstudio.cat
Filesize
12KB

MD5
d32b1d478ed71c9eb347972b72886343

SHA1
ab0f7c6f4d7fcce4639e95c6c08f61a6b4725706

SHA256
ca90d84c7eaa86f089cfe58a2a3294f592d13fa0f489a4add72c9522f4501d4d

SHA512
9bdafd32c56a10c20039bbc02f975bdbdac9ff22172857abd463279ff0002887536fa1b84bbd4460f81e740ed9071117c2b98756024d03ee5ce64f093b2c7991

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\W7W8_x64\midiplusstudioks.cat
Filesize
12KB

MD5
c02baa3e7f236b5c8bb93bee72955942

SHA1
ab222a38d4be8a33115ef8f388cf377e425237b1

SHA256
9265f93d133c75eeec8ed075e058fe567caa5b4a26394e7c1df6898b9d68c045

SHA512
ad81eb155b4a08fd380d828b0c1d5fc6e4366ad8c838472dbc98b64dba3f04b584d307172069da7046675774f029f54e950ae9d5074a05ec8004cd648df66a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\midiplus.ico
Filesize
4KB

MD5
9348b61389620bc3d79c75e995a6348e

SHA1
94264ecde6a132cc306ad0fde0d572dc55262895

SHA256
bd4bb3859b850484dc9ff57e53166b8623a47ab5c460018d59ab1481cc8d076e

SHA512
e9d9e6cd7cf937a494b0886931c8b88aa4978912a3562d8306a735478d2f9044e1a66a3bdeec2845e4273667bfe576577b1e3c9782bef02a803266bcff79b67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe
Filesize
1.6MB

MD5
a25fbd4cab3e49823463736d60ed128b

SHA1
08fe2a9dc9300fb19ce1443a2be96d3832c862f4

SHA256
54e1dcb4cf116e774cd04909a97adca774a634b6659c1aa3c81077506fd37ed4

SHA512
4308ef6215690ff2d278064741985697994d5cade719395ba6e3c457b679daaecfdde2cf14c39da264f8a4c73bdccefe206ea0aeb524f37c3addbbdf8db36570

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe
Filesize
1.6MB

MD5
a25fbd4cab3e49823463736d60ed128b

SHA1
08fe2a9dc9300fb19ce1443a2be96d3832c862f4

SHA256
54e1dcb4cf116e774cd04909a97adca774a634b6659c1aa3c81077506fd37ed4

SHA512
4308ef6215690ff2d278064741985697994d5cade719395ba6e3c457b679daaecfdde2cf14c39da264f8a4c73bdccefe206ea0aeb524f37c3addbbdf8db36570

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.ini
Filesize
4KB

MD5
d644e9ee90d525a36c6515bbd77fc26a

SHA1
60280fec88d41e3422dcc4815edfea95965655b9

SHA256
46733e8705779e45eae147ed53601618e95b6413a25d7c59f5f958a3da40ccc5

SHA512
6400c28c53522ac547190dcbc4408425283c89cdb54a8fbbc3d7c75624012bb5aa172f532923a8294179adde7a7f55579903b96d7da5e1d1a162d80efc08ffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\vendor.cer
Filesize
1KB

MD5
13dc246523820c21744d684ace600d5f

SHA1
adce0acd964a27d37a0ed4c8bcec91f5c9714f2c

SHA256
dc746e21d17434aa282bc4392456eeec2f95327ea8caf5b91c6ca38fd0971434

SHA512
f3da6dcef636a4c6889eb60b038db89dac7e8e1c3e94b721246ad7d83d0d5e423ddc4b8bfc280714872ab95557ff3f2184f9f867ad2f8eeecbae96694c337839

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUSBAudio_setup.log
Filesize
4KB

MD5
455f1ba717fbd31cdbc2982dd1bf23c8

SHA1
08bd52595d7ccd89ba0f6e49640a118b87df0a63

SHA256
e11d0c6fe8d19181116e2b922afa1cc90a69de61f249d8d3a4d8599f7a74ba93

SHA512
be3b754dc54a6b5b5d8189c18a59c5fd2efc65029783ae72b1c2cc259b8786fcb08bcbdb849826d3431949dc3decc6fc44a59d76034b00f1905d6133cd886af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUSBAudio_setup.log
Filesize
4KB

MD5
6beaa2227eb2dfa9c746ec696bad017f

SHA1
f44aa1282f60f60cd94a31813573862ce19d4491

SHA256
ae469d81adc37b7a9bda84517a549d31bafdf09583d8ec2c86d6d2f078dc8057

SHA512
52f51096c20e2f36fce7d1731df40170f77cad797d087901e5f2a1f2a8b67134959e57c0335b9c4fc81dfd60071253da937e0b396fcad5ae54a09fe0588be150

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUSBAudio_setup.log
Filesize
1KB

MD5
9be6d8884ba9efdc9ba58007e7d76844

SHA1
cbbe4c0dea4636ae0060994f7ece304186326295

SHA256
6b5492d627119a9d3f3ac13b401b2be0f750a06d7dbc27b4d7a4b82991e7359d

SHA512
0568494fe7ee1c787e037173ef8ad96cc2e4da87b11762ae9cd062c608a3c1c1e6f4a93de56d0f31fada96b78761bafb1928e478c2c552c37809f6295cb2a2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUSBAudio_setup.log
Filesize
1KB

MD5
c8fafead51b5594f172ae5e57785478d

SHA1
1506cc63f2c91f8e734de9cb3b17c71546a2a5ea

SHA256
40da7e95bbbab55e8a72012e63aced61dd05dcad906d3330fdeab804b8e6c115

SHA512
224aa65fca2b07a6cdc085d81cb0dc932e79a2466452d85bb18655ff2550f63a867ce2da9af1bfb0b2c2ded2e0d47bfbfe317e1ac3fe102dd89bbac8be0bb0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
154B

MD5
d1ae6700a38bff356c4922230cc65dc1

SHA1
5cd2c3b972bf87e69da5315cd9b7dd1b1a1067e8

SHA256
d6074e437f5511cc173aff9f0443ebb6a4fd30480ddee32d3e9da393b6405856

SHA512
8cf2ae13c14f9ea92fc965f7a3da141b9c71de721261a230a6f410aea21c205018644a198e012b8cf9eea8970677e013c1fe8a3a02dfc4eec40cd5e6243ac57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
51B

MD5
94cc07b25c37551e44688ae5b8359c97

SHA1
00a4e6769c2e47a6cb576485dfe3ca718b03d128

SHA256
ed2a37ee583d57d21234e86cde8c9b11a8941ad8fe9670e91af0e8ded8fb9f61

SHA512
8b00a20fc7a4bd8d2094a7d7933ff99061285e1736cb25dc7c012225600591b53345f7d321fe3853a6f0bd6bd51714ca276e72d7b83f10244a82ca39e45cc7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
125B

MD5
a685c6829bb15c6ecb8c8c89ca0cd566

SHA1
d06edd984fb62146c9bf8ff6062940cc7e1cb4c0

SHA256
33635c92f5b6d4c3b56a50df4f8645ca454e56ed8f2a167655b14bfe1d89d60e

SHA512
c7752c39c7a67d11aef5ce861077af9a4ba1fa77c8793911ac3e93be8345dc38ebcb013b5a5fe45c2c35ea94b063f1fae9ac2072928f8978f0ec9b93a0ef7ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
40B

MD5
4b99522639aad0cc9b6c420856bb66b8

SHA1
670781d6a11fbabf64ee086c0d4def832592f56f

SHA256
b5235906b7e6aeed9fc7ecac40fc9bee33670bebc3a6a11203eabbe510557a09

SHA512
898a5b0f70eaab9089e9ca552ee27bfce2728c925f8f5d630ee712ee964dedf5fe458af4770c33dc8a0e06303d1ec1058644ee46ef1775d709a03e3f60b9ef0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
170B

MD5
126292073a3b8320d88b474a80e717f5

SHA1
dbfa5a070bf7de71b968ca4d4bbd70faa6f69dfb

SHA256
82bb429206c6cee977506f2628bcff1c766c142171900a4d0cdeed5ba8084bac

SHA512
9dc8e2a9553a50e71016349308ca88b292b1e6162392ee2934be998f9bd48b08e49c60225ea6ad476a4e0ec2722b84ca25ffa3965f1db40f23555d0b0747ad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
69B

MD5
47674528822fe7bd92ba2f65bd503044

SHA1
91396cb962ad11506fc17699011945fca912781c

SHA256
ad900ea7bc9738a33b8af27c3f243c5b0ba0c169893d6551af294371f5fdfe99

SHA512
1df030248f91d082602a09c57f1bb80079ec2bd0c23c19a493d373ca675b856422db0a851f370cd3de0275c2a7b23f2fa534016b8c5f1b36ce62850b65a7143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
297B

MD5
7ba6b94cae84d11164364c9193e7fe70

SHA1
1e44c0b1d870a89a96ca64833cd1873a02034d49

SHA256
8ad3c01bb40aa204f325081d3dcf0b423300e2d5c1d9cf919127f305b70ce5f6

SHA512
485bcaf6556b8263600802a48960f1d885198d281143da243c917fa03667d14482755eaf2717a2a6ed3e3b43d708c3f8fa5f8d3ead98ad2617945321720849b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1125.tmp
Filesize
35B

MD5
e7a4229b292dc7356ebeef99d7012748

SHA1
eab3d5f5a35d9e782e53fef2edb40620cf13a133

SHA256
f21ed17b37e926370c163b254c860a564c508b5de9f003c179e5a7cb1461536a

SHA512
0f1d3869bb8dd053c647062f9329124bcecb7ee9d266e8feda75e9f49607bff3d403fefc9a14ea60ef1f75c37fbba069469eab2d0b81a1d0b48210a1035b79ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.cfg
Filesize
1KB

MD5
9736f5d535bd31b46f9a57884344afac

SHA1
e90bb2230a57e508d216e7de22a0c8acf890a1cf

SHA256
e8d86e5ced96cbbd2bca7bb54a2aaa10069e28d6e8a31cb5f36fc0bdae8d39fa

SHA512
2199b65b29b0af6e522fcd93cd3e85c54361505354cee0fc829a2aca797acb3caec032bf1a326228681cee84f1d85a8bb06fd6d16095f70c1a67332da7d0ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.cfg
Filesize
1KB

MD5
a6af541830d79c480afe358779f1987c

SHA1
d02ec728a48d9968515b9f5feb7ff7656632a7f0

SHA256
1e309f62f9cb9dcf12053ef5f1b0b2e2fad40b7f97656a3ae2dc088a48471ddb

SHA512
9799df336cc960b74b072d52ab6bcd2c7a6c6eafa064a6dfc81b13b21b2839ffc916381d4be142cd1864b7d54de89797815ece81d47a9bd90a6867a9d3db5e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.tmp
Filesize
391KB

MD5
36491457eb0577dfc6f4e757e4295954

SHA1
cf8b2b2e12b890bfab6c21c2b61c6ac2f8ffac0c

SHA256
d947b7ed40dd037e0a12967bfc03e28cd8fbd3468a579c335512585dbbfe14f9

SHA512
0febf84ac03e71fe602f014035cafa206a67bafc6fe713fe32f659441609c328dfd83818d49bb8717ee5321a6b12f5689e352c6d1fbf33d4553a11e6b7073df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlsfx0A74B61C\Midiplus_Studio_v4.55.0_2018-11-09\setup.bmp
Filesize
150KB

MD5
34c6522f269e7bafc039dafd0fe08d9b

SHA1
29b59d4f58a59823ac602b0055dbb1832226f3d0

SHA256
5ad40846993798362828a7d9325da8b4c7633b4762296cc5f259ee1a6689175f

SHA512
b439cae7ba6a1512609a397b81be50fb0f8e35283bcd7ba7bf488bacb695d6bb3ee2963cca1b13baf9c76d24ab9187ccc3e4ac92cd7d6aa02a4b0fdfc9b73c14

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
ac5bda699934d6a4ee7e28cbc44d1289

SHA1
c8b61e96de2eb73e68870083cdad9152ec541736

SHA256
ba3ef7d633932c230c3d6ef159816264021224e43f42ca03d60f3e80a5cfe165

SHA512
8ecad16e2b66217bce80e85eb25cc210eea8673bc31da83dd70920cf1ed2dc394e6726ec9c2b892bdbb0d5b5c8e62db2755330b74f5eaab73bb6964371ec340f

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
ac5bda699934d6a4ee7e28cbc44d1289

SHA1
c8b61e96de2eb73e68870083cdad9152ec541736

SHA256
ba3ef7d633932c230c3d6ef159816264021224e43f42ca03d60f3e80a5cfe165

SHA512
8ecad16e2b66217bce80e85eb25cc210eea8673bc31da83dd70920cf1ed2dc394e6726ec9c2b892bdbb0d5b5c8e62db2755330b74f5eaab73bb6964371ec340f

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\226e34dfc46fa9247f610520b83d16286dd81afdd20a58a13b236aa6a1b1d059.exe
Filesize
2.4MB

MD5
12bfed40940ba9d68f463a79ac394273

SHA1
dd3e3ac6b31a961295b195227b66d3b801495fba

SHA256
904502eeb1bff57b678757add34daaf5708e3215bad99b438c97c18b95055b2a

SHA512
c7ff0810b6e55c2e0719330d81463324bc5f4eb817c7d71bf90b978363e83ab1c679928cfa519216fb438b2860275ef3d3b63c737db1632a4b388ba763fc9b6f

Download Submit
\Users\Admin\AppData\Local\Temp\TLSFX0~1\MIDIPL~1.0_2\setup.exe
Filesize
1.6MB

MD5
a25fbd4cab3e49823463736d60ed128b

SHA1
08fe2a9dc9300fb19ce1443a2be96d3832c862f4

SHA256
54e1dcb4cf116e774cd04909a97adca774a634b6659c1aa3c81077506fd37ed4

SHA512
4308ef6215690ff2d278064741985697994d5cade719395ba6e3c457b679daaecfdde2cf14c39da264f8a4c73bdccefe206ea0aeb524f37c3addbbdf8db36570

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D4.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D4.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D4.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D4.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd10D4.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nsd1124.tmp
Filesize
215KB

MD5
eb639085a89390b3b1e2b36403bf66c6

SHA1
4b88086d14fcf1c3414f97d34cf9d33789d77305

SHA256
dbcad94024177ce8df121a428fb6b9db8d3c992ebee57f01d57f30bdfd2c0b4c

SHA512
ba631ddda67fd28f5f33956dbd4ad1f3e17be254bb055364bd96c8094ac9a0b17252d08ab3b7568103e38f1a746adad0391a761962ab7eda11a8e07208bec9d4

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.tmp
Filesize
391KB

MD5
36491457eb0577dfc6f4e757e4295954

SHA1
cf8b2b2e12b890bfab6c21c2b61c6ac2f8ffac0c

SHA256
d947b7ed40dd037e0a12967bfc03e28cd8fbd3468a579c335512585dbbfe14f9

SHA512
0febf84ac03e71fe602f014035cafa206a67bafc6fe713fe32f659441609c328dfd83818d49bb8717ee5321a6b12f5689e352c6d1fbf33d4553a11e6b7073df8

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.tmp
Filesize
391KB

MD5
36491457eb0577dfc6f4e757e4295954

SHA1
cf8b2b2e12b890bfab6c21c2b61c6ac2f8ffac0c

SHA256
d947b7ed40dd037e0a12967bfc03e28cd8fbd3468a579c335512585dbbfe14f9

SHA512
0febf84ac03e71fe602f014035cafa206a67bafc6fe713fe32f659441609c328dfd83818d49bb8717ee5321a6b12f5689e352c6d1fbf33d4553a11e6b7073df8

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.tmp
Filesize
391KB

MD5
36491457eb0577dfc6f4e757e4295954

SHA1
cf8b2b2e12b890bfab6c21c2b61c6ac2f8ffac0c

SHA256
d947b7ed40dd037e0a12967bfc03e28cd8fbd3468a579c335512585dbbfe14f9

SHA512
0febf84ac03e71fe602f014035cafa206a67bafc6fe713fe32f659441609c328dfd83818d49bb8717ee5321a6b12f5689e352c6d1fbf33d4553a11e6b7073df8

Download Submit
\Users\Admin\AppData\Local\Temp\nst10E5.tmp\nst1136.tmp
Filesize
391KB

MD5
36491457eb0577dfc6f4e757e4295954

SHA1
cf8b2b2e12b890bfab6c21c2b61c6ac2f8ffac0c

SHA256
d947b7ed40dd037e0a12967bfc03e28cd8fbd3468a579c335512585dbbfe14f9

SHA512
0febf84ac03e71fe602f014035cafa206a67bafc6fe713fe32f659441609c328dfd83818d49bb8717ee5321a6b12f5689e352c6d1fbf33d4553a11e6b7073df8

Download Submit
memory/1060-66-0x0000000000000000-mapping.dmp

Download
memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1180-61-0x0000000000000000-mapping.dmp

Download
memory/1636-117-0x0000000000000000-mapping.dmp

Download
memory/1700-83-0x0000000000000000-mapping.dmp

Download
memory/1812-73-0x0000000000000000-mapping.dmp

Download
memory/1824-90-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads