neshta | 44e8a04b410256c9201da884a6582771e0c0394729f85ac6a7cc1ae96a4ab8fa

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
Size

13.2MB
MD5

676cc53b7a5a82fae31a378d21a81bb5
SHA1

e29470049a2a57409990e9b8d6c84f59f915647a
SHA256

44e8a04b410256c9201da884a6582771e0c0394729f85ac6a7cc1ae96a4ab8fa
SHA512

745b80524c2a2bb829e5aff480ef27c777b8d13848f08c3764a4b7a7468c46417094bd571b73987e364ee19ed0eacd27610d724f130de2d136c91540059e5800
SSDEEP

393216:5wk1j7BMh3WP+vBXKvPcZe9DGHpld97fapVZBX:vfBMh3Z0M6OlWpVZBX

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001925e-190.dat	family_neshta
behavioral1/memory/2248-421-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2248-539-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 2 IoCs

pid	Process
2248	WindowsDoctor.exe
780	WindowsDoctor.exe

Loads dropped DLL 14 IoCs

pid	Process
2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
2248	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
780	WindowsDoctor.exe
2248	WindowsDoctor.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	WindowsDoctor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	WindowsDoctor.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	WindowsDoctor.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	WindowsDoctor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	WindowsDoctor.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	WindowsDoctor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsDoctor.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	WindowsDoctor.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	WindowsDoctor.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	WindowsDoctor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
780	WindowsDoctor.exe
780	WindowsDoctor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2248	2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2248	2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2248	2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2248	2792	676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe	30
PID 2248 wrote to memory of 780	2248	WindowsDoctor.exe	31
PID 2248 wrote to memory of 780	2248	WindowsDoctor.exe	31
PID 2248 wrote to memory of 780	2248	WindowsDoctor.exe	31
PID 2248 wrote to memory of 780	2248	WindowsDoctor.exe	31

C:\Users\Admin\AppData\Local\Temp\676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\676cc53b7a5a82fae31a378d21a81bb5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adcb7dc979b2fd9044841cc005546544

SHA1
5b03dd17ec39a2734273d7b53ca2a4556ba4de07

SHA256
b1add250e8d35a50d88f33b422834fc6d5364955847afa237f5ea1c8d49b9d43

SHA512
760120d575cbbba36efa0de220cd9cad5b5a080eef4b205a5aa035f05d4f4c64ce4e41f1ec1a5ae2b464b0fe54e9406f29b08676793cee9ac49b3fcddb77067f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72b89db25324c88a13a545d12ab89301

SHA1
90f4175b29c0ee17e57d68a87c2e56d701470cff

SHA256
90aa8f1efb3a580b979e19e77a48753ca4c1e98ea71bce5daa23423f7eb7918f

SHA512
6f303c7c11194bc2c765232115ad0eaff69622f0e6be18157f33d5327c46e9bc910385e3fc366802dd87b2ea209a79f56a58e5c36c42f8546eee34fa736a7af6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
602ff5176455a369f74660f21422dd00

SHA1
c60fa649b8eb10b38e05797733e0c0d6cbbe0d13

SHA256
0f45c15afe25fdc054c8e31b42eff2a92cacfa5242550ed61d49baf1276a3e66

SHA512
cb2bb5869c81afa4a8b679e7a0b4495f85d8d674a9acdf313c306b40dd96aebf6346932f952e2525e6b622aa1707b67e94568e538ed0fd5174fb290079c631fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99ed1a0d215c8a70aad94f4d046cebee

SHA1
b2fd3c8e62fe55689acca6c1ff1da8f259b5e317

SHA256
1008fc6e75d240e510a8d5b5dfef5b67eaaf66b335374113eee66dab141a7c5e

SHA512
27f871c0b64854c1307e6409f263273dca4eab6fe740b1b0c0c5cc4d948d7c0ee5892af840d2ada0bb28637ced9b2ce321d5c5ac916580472f086c9a0a2b0ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
92d88be898575ba14d6caf44d866f36e

SHA1
37baf551335c74c59ee9f88f046f95f5151fb688

SHA256
d3ff9ffce28182b404d9f0b974fce5504a46deb8580fd3f3e4f310822ea1c2d8

SHA512
6715a9a364daa17e30e5c65e5cba3d07567e19feed981ca5f7673a0bad0cfd6b82a4d18316faaef40e969012bba32775416fc4d1df56cc19a986a516ba39e4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9484.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Common.dll

Filesize
277KB

MD5
b67e3f8474ec139fc500e60536b85ac8

SHA1
e7acdbf1796ccee497058e94d301903348f593cc

SHA256
97778cd760976dd2d5dc3e518468c7930b9ee142ed019d19822f7ffd6189975e

SHA512
765f441936ead9e9981982df027ea05260c62d208e942a5574fa8c196f4c0e31c596c4713811c38469cae7794be1537cce5c48732ced6fbe97c690efdb463bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lang.dll

Filesize
624KB

MD5
4ed3bb75a1f78f8afabeedfaeb37c7a7

SHA1
34f36856c2a0f7974bf64cdc4a566125003da290

SHA256
99a09c3532875e89d4c1a414a98b967debba667068a08f3d948d13cfd079fabc

SHA512
90b683172e3f9d74bef51c5be088bedbc101ff17aaf76799790264db90bf30e46955cea6d716dd761c9e7dcba78e664f94f759c0a0df410ca929b9bd55cd3be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PrivacyCleaner.dll

Filesize
670KB

MD5
8862e6ffad755d3e988068ad27131689

SHA1
6b6bfcf83f9401cb10e4c0e907d08b930bc02d4f

SHA256
7b8fd72598d854fbbf7227529e0cd4b9e1eabc2008c34d9d0d1c758c959f3147

SHA512
9738f8202a744f6d7ec3af5d2be42b9f3d0efa1617e3d02417c3a68d8437ad477c59e40677c3ee19bfe258cda4b1ee9638af1f31b28a8800954c947b074e3c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ROListView.dll

Filesize
212KB

MD5
afd2cca9d569691e070ebc9efd0e2495

SHA1
e86d4bc885665ac149acc2c4dd8f5fe2b5e2645c

SHA256
8271f5207fe344fe24a051796efad9eec85d9873a7e360c6a85206a3f4e3e1e9

SHA512
c324f674879da42a66de311b602e9b92f481c863b40f2ee7add2bf78d6dd73c6507eacc94cadc5271880c3d938717a0099709f5bdda75e1fa7ee26569999047a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RegScan.dll

Filesize
469KB

MD5
99c96614b68cfe9e4a7857c7fbea44bd

SHA1
0c5635f5db15190b0aae1dab471f4c6455d5779b

SHA256
3e4f391415804c2bf628e61bea5f4db82aa56652d4c4c36634ccae1ed9623495

SHA512
83d98f1146389748f3142e28810cf319d4c8cbaf67a3a57ca633fbd869ce4b926175af3541a00191794852c29b469ec0b4df70db9d8082f79c44b576249221ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SystemItemDll.dll

Filesize
396KB

MD5
5d7d5d96a066f50c1b077ade316a0eae

SHA1
fef636900828a2b1887cb3b5a11c6802d4a62b0d

SHA256
dba672c5c35835aa12a9146289de086cb928a2c7ea91ff9338a5fd7e02b3f02e

SHA512
92a38dabfdbea0329aec0a78cedbd54760e19fb1d8934d530a648bb1c7b6237b501dd35f34beaaaf967df40165bbd2ec18ee735a587dad6878d5d74b34759da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsDoctor.exe

Filesize
5.7MB

MD5
4df91e23f166d05bb2a1cf0733324659

SHA1
eccb99b86233876b43724abb787336bde3872186

SHA256
b47a23642d4d4f0b485ee1875322f00536f8db587e4f3a2de85242c0af33a746

SHA512
b44fe2618ce03df3c4c84054e30cc7de37255bea4d295915faa5419b2b93bde2a67a3f187342f4d7d4ef1fb9d4f8a6ce882b9f8dc1b26db848f64c0b5575e6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wmsd.dll

Filesize
640KB

MD5
175d1c7ad2e5e666f5c008f016675c7b

SHA1
19496b86550e2277359b0d18e65d8816ad564a50

SHA256
9c3d290d98f1b078b7bbe7aa512d2d589bf19d14c542287a89076b0704fd77f7

SHA512
1911126e68b8c75a4a9239d96b2661f8e5be0e3834e0bd5419ea5ce824e14685c781e3c750d79ec1ca23398b99def74a7657289c7822d5e16ba9ef798b814983

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98CB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\WindowsDoctor.exe

Filesize
5.7MB

MD5
115b0f9604aae86ad1bcccf037ce21bc

SHA1
ecba2c9221ad930a979f3a2c1627de89581a5bd7

SHA256
bc693dead66949834bead259e2076fca6fc2ee3405228eb0c793d7b7b6bb3d0f

SHA512
fa91ec2020d461ce7c8fcae91c0d542ad06ae9a16662e95756d75964f44ada2c30eb5c9b37d9a45814b8fd514648c5667128817548758f8fcbf1088faf93ca37

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RegistryCleanerDll.dll

Filesize
528KB

MD5
ed42a565477ec8a86cb89ef2f758d725

SHA1
737d6a64d99859b64e2a3c338f7a750dee9a0558

SHA256
cd0739510d104d9c655963612d817ca9901bf16088f1cc5361a2324d800fe0c3

SHA512
502c1442c00a220523a6b6aab514501854f6fe3617016dc6a894ec214657c7923c635e31fe33b89ad6dbb20203fa417f6841915ca407fdf6eeff4c08fbee50cb

Download Submit
memory/780-502-0x0000000000F30000-0x000000000100D000-memory.dmp

Filesize
884KB

Download
memory/780-220-0x0000000000300000-0x00000000003B0000-memory.dmp

Filesize
704KB

Download
memory/780-501-0x0000000000E70000-0x0000000000F26000-memory.dmp

Filesize
728KB

Download
memory/780-500-0x0000000000DE0000-0x0000000000E6E000-memory.dmp

Filesize
568KB

Download
memory/780-499-0x0000000000300000-0x00000000003B0000-memory.dmp

Filesize
704KB

Download
memory/780-498-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-1037-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-589-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-239-0x0000000000F30000-0x000000000100D000-memory.dmp

Filesize
884KB

Download
memory/780-774-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-236-0x0000000000E70000-0x0000000000F26000-memory.dmp

Filesize
728KB

Download
memory/780-841-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-232-0x0000000000240000-0x000000000027F000-memory.dmp

Filesize
252KB

Download
memory/780-229-0x0000000000DE0000-0x0000000000E6E000-memory.dmp

Filesize
568KB

Download
memory/780-223-0x0000000000C20000-0x0000000000C9F000-memory.dmp

Filesize
508KB

Download
memory/780-978-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-1032-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-1017-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/780-1022-0x0000000000400000-0x0000000000C14000-memory.dmp

Filesize
8.1MB

Download
memory/2248-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-539-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads