Malware Analysis Report

2025-05-05 22:18

Sample ID 231013-b6ckysbe95
Target aaaa.exe
SHA256 073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c
Tags
neshta agilenet persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c

Threat Level: Known bad

The file aaaa.exe was found to be: Known bad.

Malicious Activity Summary

neshta agilenet persistence spyware stealer

Detect Neshta payload

Neshta

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Obfuscated with Agile.Net obfuscator

Modifies system executable filetype association

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 01:44

Reported

2023-10-17 22:21

Platform

win7-20230831-en

Max time kernel

152s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aaaa.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ixvjffdjqz = "C:\\Users\\Admin\\AppData\\Roaming\\Ixvjffdjqz.exe" C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 2824 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 2824 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 2824 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 2824 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2824 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 2692 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
PID 2692 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
PID 2692 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
PID 2692 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aaaa.exe

"C:\Users\Admin\AppData\Local\Temp\aaaa.exe"

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

"C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe"

Network

N/A

Files

memory/2824-0-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

memory/2824-1-0x000000013F680000-0x000000013F9DE000-memory.dmp

memory/2824-2-0x000000001BCB0000-0x000000001C00E000-memory.dmp

memory/2824-3-0x000000001BC30000-0x000000001BCB0000-memory.dmp

memory/2824-4-0x000000001C860000-0x000000001CBAE000-memory.dmp

memory/2824-5-0x00000000007D0000-0x000000000081C000-memory.dmp

memory/2824-6-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

memory/2692-14-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

memory/2824-23-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

memory/2596-30-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2596-31-0x00000000009D0000-0x0000000000D20000-memory.dmp

memory/2692-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-34-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2692-35-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-38-0x0000000004860000-0x00000000048A0000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2692-50-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-51-0x0000000000410000-0x0000000000430000-memory.dmp

memory/2596-56-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2692-60-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-61-0x0000000000930000-0x000000000098A000-memory.dmp

memory/2596-62-0x0000000000550000-0x000000000055E000-memory.dmp

memory/2596-63-0x0000000002450000-0x00000000024BE000-memory.dmp

memory/2692-69-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-72-0x0000000005590000-0x00000000056D2000-memory.dmp

memory/2692-77-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-84-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-87-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-98-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-108-0x00000000005E0000-0x00000000005F4000-memory.dmp

memory/2692-109-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-112-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2596-113-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2692-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2596-115-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2596-120-0x0000000004860000-0x00000000048A0000-memory.dmp

memory/2692-123-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-124-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\IXVJFF~1.EXE

MD5 b6a18b64ba64922793c6849464a26332
SHA1 883da851ff68f948ab237679e0df43561bab0a18
SHA256 073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c
SHA512 e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3

\Users\Admin\AppData\Roaming\IXVJFF~1.EXE

MD5 b6a18b64ba64922793c6849464a26332
SHA1 883da851ff68f948ab237679e0df43561bab0a18
SHA256 073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c
SHA512 e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 01:44

Reported

2023-10-17 22:21

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aaaa.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ixvjffdjqz = "C:\\Users\\Admin\\AppData\\Roaming\\Ixvjffdjqz.exe" C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 316 set thread context of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MIF4FD~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13177~1.11\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Temp\EU3498.tmp\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 316 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 316 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 316 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\aaaa.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 4380 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
PID 4380 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
PID 4380 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aaaa.exe

"C:\Users\Admin\AppData\Local\Temp\aaaa.exe"

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

"C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 qu.ax udp
SG 45.77.246.255:443 qu.ax tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 255.246.77.45.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/316-0-0x00000293B8CC0000-0x00000293B901E000-memory.dmp

memory/316-1-0x00000293D3540000-0x00000293D389E000-memory.dmp

memory/316-2-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

memory/316-3-0x00000293B9400000-0x00000293B9410000-memory.dmp

memory/316-4-0x00000293D39A0000-0x00000293D3CEE000-memory.dmp

memory/316-5-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

memory/316-6-0x00000293B9400000-0x00000293B9410000-memory.dmp

memory/316-7-0x00000293BAC80000-0x00000293BACCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

memory/4380-16-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

MD5 064510a44c3c41ae42b2d3c19cb3075e
SHA1 e747e3076ea823234f9e2cc186bcd7eda517e3a6
SHA256 24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639
SHA512 8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

memory/3616-18-0x0000000000400000-0x000000000040C000-memory.dmp

memory/316-21-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

memory/3616-22-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

memory/3616-23-0x0000020420F20000-0x0000020420F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

MD5 ea84cad2bff8c263e6cf3f8f11b93c73
SHA1 0628144ecdaa823e6f49e097b53558c8ceb72af8
SHA256 434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb
SHA512 4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

memory/4008-36-0x00000000005C0000-0x0000000000910000-memory.dmp

memory/4008-37-0x0000000073B70000-0x0000000074320000-memory.dmp

memory/4008-38-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/4008-39-0x0000000005180000-0x0000000005212000-memory.dmp

memory/4008-40-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/4008-41-0x0000000005230000-0x000000000523A000-memory.dmp

memory/4008-42-0x00000000053B0000-0x00000000053D0000-memory.dmp

memory/4008-43-0x00000000053F0000-0x000000000544A000-memory.dmp

memory/4008-44-0x0000000005170000-0x000000000517E000-memory.dmp

memory/4008-45-0x0000000005470000-0x00000000054DE000-memory.dmp

memory/4008-46-0x00000000054E0000-0x0000000005622000-memory.dmp

memory/4380-47-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3616-48-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

memory/4380-49-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3616-50-0x0000020420F20000-0x0000020420F30000-memory.dmp

memory/4008-61-0x00000000083B0000-0x0000000008416000-memory.dmp

memory/4008-66-0x0000000008340000-0x0000000008354000-memory.dmp

memory/4008-67-0x0000000073B70000-0x0000000074320000-memory.dmp

memory/4008-68-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/4008-69-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/3616-70-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\IXVJFF~1.EXE

MD5 d135618e6963b7f5032053e385faee4a
SHA1 98901c512ecf3460bec867d24979ed18cfcbe95b
SHA256 8d9e06447423812a9a47232368e3c70486ac959fcfad9d81718ba12b0cbaf4bc
SHA512 806d478cd68f5884ac7b751f6da78183126437b8489e88ee1e14accc055a6416d10afae1f9d82ac7b087106fbb3074758bdbe3cf8a711fb668d36d9c19fe8eb5

memory/4380-141-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4008-142-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/4380-143-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-144-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-145-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-146-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-147-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-148-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-149-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-150-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-151-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-152-0x0000000000400000-0x000000000042B000-memory.dmp