Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-ybtmbadfb2
Target aa1efe82b7a8462a234757d822dd2466.exe
SHA256 7cca4f23bd94e5cf9208a12bae1d251a38365c73a89322de96aae09be86f40bf
Tags
neshta sality backdoor evasion persistence spyware trojan upx stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cca4f23bd94e5cf9208a12bae1d251a38365c73a89322de96aae09be86f40bf

Threat Level: Known bad

The file aa1efe82b7a8462a234757d822dd2466.exe was found to be: Known bad.

Malicious Activity Summary

neshta sality backdoor evasion persistence spyware trojan upx stealer

Sality

Neshta

Modifies firewall policy service

Windows security bypass

UAC bypass

Neshta family

Detect Neshta payload

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Modifies system executable filetype association

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:37

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:39

Platform

win7-20231129-en

Max time kernel

0s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Neshta

persistence spyware neshta

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe

"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2396-12-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2396-13-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/2396-15-0x0000000001D80000-0x0000000002E0E000-memory.dmp

memory/2396-27-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2028-8-0x0000000002B00000-0x0000000002B54000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe

MD5 1ff4eadf86c36055b815504500b8770e
SHA1 feb2673f6060bc3a31a6e145e280942cd73049ae
SHA256 49090474ef8191988c0b7e9673e981422bb526b7691dfc03c7a50ae500f6ceae
SHA512 23b1b3f1386858d04c912ed4bceb09c5c69a732699f2ba7384fd4fa2db6303c7678fef0239af7c291193e3101d042bd415bb492571c5b92e6a5170eb548ac2ea

memory/2028-101-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

104s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Sality

backdoor sality

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe

"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe

MD5 729b18ffd039c5574b2d9685401f42c8
SHA1 27ef6946fff89bf261b465a3364ca9b333fbadd2
SHA256 a2ca75d551c5143691815c7b61ee2d7baa469cc758bf25d4344dad852c7a2162
SHA512 3fcf6cf454caab2b943e4c419c228d9db156e3ab42a8879b1b13bf21de925180086bea5ff7cb2cf504c32f596c68d3e4af548c6acea5537f55d6ea32e8fc1de9

memory/1436-11-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsl7C74.tmp\System.dll

MD5 05e52213cfa17dee760186462a9645ed
SHA1 f6d5e82080bbba65db7d54e89250c95af833aae3
SHA256 d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5
SHA512 586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172

memory/1436-25-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1436-26-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1436-27-0x0000000002270000-0x00000000032FE000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 355cb9870b5f65da1d11eaa3e8f40788
SHA1 6346a6d3aa55c39175c2bdaf67c0a89e8d383ab8
SHA256 754d47f95ce671da871da32afa71fcf46868439e52e78e6eb29d085d5e2b141c
SHA512 080a738294554ec2906be6c6abc1d49750e936779e624e7550ee9a837912d89592adb089ac6e5eb938ccd71a48947cb8f79ed3227ddb4ea0d66d3f6ac9751374

memory/3368-98-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-126-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-127-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-128-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-130-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-131-0x0000000000400000-0x000000000041B000-memory.dmp