neshta | 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
Size

6.7MB
MD5

a88ec3f748e3ee980f673640600b9e3e
SHA1

620b4a092b42303da603cd5e5ad7b4b168fac3e1
SHA256

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0
SHA512

1ebd5eff754589b7f867fde35dd5bd89c7173c2d24052c9e69941617bbbbc9b860c12ebe970e28ca9ce6df0f617657f7e6094ef2f56d9ec19bf4f6063d38f444
SSDEEP

196608:JZpI4RiEGMFwaD/s/exVctPfPmonwOvRE/LHE1DmJi10vg6DQKnwbHG:Jc4RirOwaDE/gVuPfPhwOvR8LHomg0vB

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exeTeamViewer_.exe

pid process

2984 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2672 TeamViewer_.exe

pid	process
2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2672	TeamViewer_.exe

Loads dropped DLL 13 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exeTeamViewer_.exe

pid	process
2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe
2672	TeamViewer_.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

Drops file in Windows directory 1 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

Modifies registry class 1 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TeamViewer_.exe

pid process

2672 TeamViewer_.exe

pid	process
2672	TeamViewer_.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

description	pid	process	target process
PID 2772 wrote to memory of 2984	2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984	2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984	2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984	2772	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe
PID 2984 wrote to memory of 2672	2984	2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe	TeamViewer_.exe

C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
"C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\advanced_unicode.ini
Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\start_unicode.ini
Filesize
2KB

MD5
1509714929f3c77b929fda542207d98c

SHA1
b955f918b1f0a1669017af939070789fa325f2bc

SHA256
b76e27078dd3b56b8270d45d2747bfe1406ce18e52d22dea154d306dafad2312

SHA512
cb683846fbb35d69d57f636bf5e10db4150393cbea831101ee25107be65d95de29bf550d13d8a0567b96a93c6a80d10f5f821b888aa5227b995a9bddd3916b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\start_unicode.ini
Filesize
2KB

MD5
2812313919a4ffba55d1a5e116f9b4bb

SHA1
c8d04ecbb89056e4d3110042869e48aaf014979f

SHA256
31773446151248f732c087a5c47cd244e931f57efdbb53ff3f964d8f703ef813

SHA512
8037e1d9109842f8dbb5e113e587fa3b216ab24c7f8ee05f9ef3894908a51afc26d0ec8e47a4dc1d0455f727c5b75497817b8797da1dc8ff080f88afa8b13db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8F65.tmp\TvGetVersion.dll
Filesize
152KB

MD5
63a1e68cac00ced9a223a63dfef18fb2

SHA1
ed06a5a6feec468ad1860f3b43fbfbbe90ec9eea

SHA256
aad1cf72dca9ba974257991d9299be7bbf3e02c26b23fc72a9710cde34e441c2

SHA512
48bfabe6c54e7a5590814bfa8db48c519b85d5565c4d5b344aa5357e14dc2a69e23d158b76e6eb2c9f44c4c811590c118d092864dc18b02f592d76c73601e67b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
Filesize
6.7MB

MD5
36237f67229d22e30adb39ef6d31d123

SHA1
7f46b4633a8e2c345816b1793fe02eaa695a91cb

SHA256
f832d64b97f085f3acc071f4f035472bc65c0e9f91e6a9c5413943da80f6fdcf

SHA512
01437e820d4054082f3d7829bafff904f736890c8cb40ab8e9e81c987ca7ee5808da725ee85aca9a18028042a46dcba0a055fd50a32ccff2036a87780c1f8c90

Download Submit
\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
Filesize
6.5MB

MD5
88b755bdd635d5d10f49823a3e9fe775

SHA1
568e684b1a3eee0b8511523e8658916e646f214f

SHA256
372400dfe62c18b70e408723319856a853bf5694ec864e6ab8bf1d5b8fb4f88a

SHA512
bee2498686011c37f29c63edccd4a31489c92039298a676e18a085cbc08f3b09383c35d28619bdd8cda705e6549c5585304558d834fc6c29003dfdb925fe73ea

Download Submit
\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\InstallOptions.dll
Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\UserInfo.dll
Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\linker.dll
Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
memory/2772-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads