Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-3b1g3sdgck
Target VirusShare-011fcece058e729e2c21e7085b600b41
SHA256 c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae
Tags
adware persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae

Threat Level: Shows suspicious behavior

The file VirusShare-011fcece058e729e2c21e7085b600b41 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence spyware stealer upx

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 23:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 23:21

Reported

2024-02-02 23:23

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\nsacesh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\nsacesh.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vljojq = "vljojq.exe" C:\Windows\SysWOW64\nsacesh.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\nsacesh.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ C:\Windows\SysWOW64\nsacesh.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\nsacesh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\csumulal.dll C:\Windows\SysWOW64\nsacesh.exe N/A
File created C:\Windows\SysWOW64\image.zip C:\Windows\SysWOW64\nsacesh.exe N/A
File created C:\Windows\SysWOW64\nsacesh.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File created C:\Windows\SysWOW64\sogbaol.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File opened for modification C:\Windows\SysWOW64\sogbaol.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File created C:\WINDOWS\SysWOW64\VLJOJQ.EXE C:\Windows\SysWOW64\nsacesh.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\VLJOJQ.EXE C:\Windows\SysWOW64\nsacesh.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ = "C:\\Windows\\SysWow64\\csumulal.dll" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\ = "IESpy 1.0 Type Library" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer\ = "IESpy.SpyBHO.1" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\Programmable C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\csumulal.dll" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID\ = "IESpy.SpyBHO.1" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID\ = "IESpy.SpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 C:\Windows\SysWOW64\nsacesh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"

C:\Windows\SysWOW64\nsacesh.exe

C:\Windows\system32\nsacesh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\nsacesh.exe

MD5 4f0d325d862e6691089e6353f24cc723
SHA1 89a2130b326d498eea816aeeefaf5a19353cddf4
SHA256 e27d664a3976999ae06a731ff59db1ffa4950e8285f00516c61acbfc56f98127
SHA512 5d6afe8c451d615dd87d88c5fdbd926f1671ebb433ce24f7ea011dcfb26ff6d1c40c8d772021e59bdbd7d7b57dfe9e9b4c89d4a73750e67976437122040cc4ba

memory/4600-5-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Windows\SysWOW64\csumulal.dll

MD5 d47460e7a690aa4518595f6943e64a33
SHA1 99dc72b69d36fdf4a206dc4cbebcee0b0e6fecf6
SHA256 20d2dbe3fe247d3b47bb76391ce79081033aefd49698b860c0559663247ecc6f
SHA512 08b9d09d397255b6a5edba02d71da04907b0bddcf626e0073a084f7d08ba65e696904a44a000d4eababe370a8a47aa19c0ce104765c1053b1a8f323102b36bda

memory/4600-12-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Windows\SysWOW64\sogbaol.exe

MD5 011fcece058e729e2c21e7085b600b41
SHA1 5503bce7be753d1b0975811fe33ac0ca808706a8
SHA256 c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae
SHA512 434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1

memory/4600-15-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4600-16-0x0000000000400000-0x0000000000486000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 23:21

Reported

2024-02-02 23:23

Platform

win7-20231215-en

Max time kernel

142s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\nsacesh.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvoeuj = "nvoeuj.exe" C:\Windows\SysWOW64\nsacesh.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ C:\Windows\SysWOW64\nsacesh.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\nsacesh.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\nsacesh.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\nsacesh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\screensaver.zip C:\Windows\SysWOW64\nsacesh.exe N/A
File created C:\Windows\SysWOW64\nsacesh.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File created C:\Windows\SysWOW64\sogbaol.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File opened for modification C:\Windows\SysWOW64\sogbaol.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe N/A
File created C:\WINDOWS\SysWOW64\NVOEUJ.EXE C:\Windows\SysWOW64\nsacesh.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\NVOEUJ.EXE C:\Windows\SysWOW64\nsacesh.exe N/A
File created C:\Windows\SysWOW64\fcmaiuma.dll C:\Windows\SysWOW64\nsacesh.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID\ = "IESpy.SpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ = "C:\\Windows\\SysWow64\\fcmaiuma.dll" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID\ = "IESpy.SpyBHO.1" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\ = "IESpy 1.0 Type Library" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\fcmaiuma.dll" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer\ = "IESpy.SpyBHO.1" C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\ = "SpyBHO Class" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\Programmable C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1 C:\Windows\SysWOW64\nsacesh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" C:\Windows\SysWOW64\nsacesh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID C:\Windows\SysWOW64\nsacesh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"

C:\Windows\SysWOW64\nsacesh.exe

C:\Windows\system32\nsacesh.exe

Network

N/A

Files

\Windows\SysWOW64\nsacesh.exe

MD5 4f0d325d862e6691089e6353f24cc723
SHA1 89a2130b326d498eea816aeeefaf5a19353cddf4
SHA256 e27d664a3976999ae06a731ff59db1ffa4950e8285f00516c61acbfc56f98127
SHA512 5d6afe8c451d615dd87d88c5fdbd926f1671ebb433ce24f7ea011dcfb26ff6d1c40c8d772021e59bdbd7d7b57dfe9e9b4c89d4a73750e67976437122040cc4ba

memory/1248-3-0x0000000000310000-0x0000000000396000-memory.dmp

\Windows\SysWOW64\fcmaiuma.dll

MD5 d47460e7a690aa4518595f6943e64a33
SHA1 99dc72b69d36fdf4a206dc4cbebcee0b0e6fecf6
SHA256 20d2dbe3fe247d3b47bb76391ce79081033aefd49698b860c0559663247ecc6f
SHA512 08b9d09d397255b6a5edba02d71da04907b0bddcf626e0073a084f7d08ba65e696904a44a000d4eababe370a8a47aa19c0ce104765c1053b1a8f323102b36bda

memory/2980-16-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Windows\SysWOW64\sogbaol.exe

MD5 011fcece058e729e2c21e7085b600b41
SHA1 5503bce7be753d1b0975811fe33ac0ca808706a8
SHA256 c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae
SHA512 434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1

memory/2980-19-0x0000000000400000-0x0000000000486000-memory.dmp