Analysis Overview
SHA256
6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c
Threat Level: Known bad
The file 6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c was found to be: Known bad.
Malicious Activity Summary
Neshta family
Detect Neshta payload
Neshta
Checks computer location settings
Executes dropped EXE
Modifies system executable filetype association
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 21:59
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 21:59
Reported
2024-04-11 22:01
Platform
win10v2004-20240226-en
Max time kernel
95s
Max time network
148s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
"C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe"
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.172.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1524-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
| MD5 | 736a3cad4593c9e478cc3ea13f1fa634 |
| SHA1 | 79fd81761920001c3394bcb1e36892fc95b1fe4a |
| SHA256 | 9977725432104dd5286ccfd06b485c8fdf7cbd63143ea62ea5e218e5768c6703 |
| SHA512 | d4a54d783a5491c24e91cc96b56748a0684342125cee3c17f85ac6f86d8148b601814159c1df52f71df874b52d5713d70aa51ba981f2dcc7fe5b07f9d068ee6d |
C:\Windows\svchost.com
| MD5 | 4ee3501c10af6e57f66d31b344f9a427 |
| SHA1 | 682061f5cd5a4015f49f31ddf32436ca1e0db743 |
| SHA256 | a2da6c58605f78701c7f9b596176f04b6278fc63e05e9c0df5dd75f1a3156bc9 |
| SHA512 | 5f910418e78820a6a26b232847c7e4ef412e71cd2407a053eb6ed039a3330be2743544d07002c29a51bae6345d413fcfb1a4650d57d14bc67c6cc5544e14707e |
memory/4820-21-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini
| MD5 | 864c22fb9a1c0670edf01c6ed3e4fbe4 |
| SHA1 | bf636f8baed998a1eb4531af9e833e6d3d8df129 |
| SHA256 | b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0 |
| SHA512 | ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09 |
C:\odt\OFFICE~1.EXE
| MD5 | 07b1b23278193ee303145b986bc15fdf |
| SHA1 | fc7b5ca0c55edbca59846f8ba4c1d617f80673e7 |
| SHA256 | af18ddf5d77c1341b06caeaa517e4bbd4cebea3bc28c437ed471508a21370e8a |
| SHA512 | de73b0357f0130bdfc2e3857b4a7f9301c8aea12d515334cdce3ce440df14a190cd9046f08a5c32ff0f499414290a0504dcca4dc4059f6d828195cb67d3ffeee |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
| MD5 | 4954e055c31978fbc4b1e4b85708b810 |
| SHA1 | 1cc7b14d06018249310984886faf94a14834d34f |
| SHA256 | eb83bf05465a3bcaa03f2c8217f35d74a6e941e985bc1ec80bad93bb266e801f |
| SHA512 | 7622da93b601d4f48653be131142e2c0a060e8573a969dba694e2259ff3e48605e3cc724fcf765267a842b6c4850f7fe9510b08457adc7ddae1ef7336ddf8237 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
| MD5 | 014a34c3b2d6686027821f7a358c592f |
| SHA1 | f5140caed583ea7d9876c3bc2d8a5b494415ca9d |
| SHA256 | 15d330a9d864c13156fa195d5c592d8d7408959349f41fcc754e2e44f469f099 |
| SHA512 | ebf7fdb83d8e055d79e5266f66d0632e0b02b2e987e050852e6f15791f54e05ea6f4bceb66c94b7ecd949de772d9468210bcf10a69e8ab8fea7abe26746cfeac |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | f3aeee5bdcacebcc69e6e6f31965d4bc |
| SHA1 | 8ce226dd84d281aee64696863e83a3eff98a8a5a |
| SHA256 | be16a54cba762ff2f5657b9248f5c532f8848fd3eb6385833ca24cbb37d14e4c |
| SHA512 | e67f266a246ecbd80fcecc7c3130f3a6ce3112191cf5e007996294a7536e23c3ea4e51f7a758dcb8ce88a385c195fc8ca347096d57c9c3a987a46b708e3fe2cf |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 6dfb097f1b8bde38ea0063b693bd281f |
| SHA1 | c96a75a162699cb03f981eb493d6c5f1955d3305 |
| SHA256 | 415f93b4ea4af4e2ec5e176245e6e0af75d9a32f6227649a84aee8fa0249a8ed |
| SHA512 | 55eb6a2fa885edba34fac186d4afc854e898a6a96f64b757c4b7238f0d34963de368f4e6006ee6adfb96e4aff90fd7c169814895640023c9380a8e59b7b1c0a3 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | 13a711cf88fea30b7a43bb7be9d71e02 |
| SHA1 | 1f2193476d446271c8595db2ddb846b1f4d7a2bb |
| SHA256 | 97c1ae4971c8abecc041f861a14863682daf25e04b67c53b5d75135ef0ee1e4d |
| SHA512 | 39ed985582e3b1ba09c53199501646986f2a8ee156c7d6c6ffdbb09b02ec95dfcc480217520c5f12aba32817ccc33da01e5725dafcc00df173f32b77c075b859 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | bd6c7b51065edeb45ee4c01f89d3469f |
| SHA1 | 7616de8d2113cdd59a6186882aec1c9d47e50c62 |
| SHA256 | 80eb8200083a40dff605fba8dc68802313c2d86f67fbaa7f8e016872cf5a2ca8 |
| SHA512 | d956e74b58b45dde7899482a4818c28fadca1c07837307958a17a62fd813ca201468e59d115af92ac63d924558bb7265dbfae53a7368f7615467781ea9d1bba4 |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe
| MD5 | d6d9f39506febfd7b4b56067a4190cff |
| SHA1 | 5e4a02c1e19487c08a88255ccc71c36b56f292d6 |
| SHA256 | 1f12fd49e1d5b7b6bcbe211ee8dd6e11614f89ca7ce8055192f65ff60b41b8b0 |
| SHA512 | caa7226e509568e4dfea6a7ce93643fcf6369021b558da05f4d3a0f80eedca28418f547116f3d06cede060e2e3cf2dc255161a31856be134bf08b75ba7e164f6 |
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
| MD5 | 98793a7468c9b5d16acf791d75d4d698 |
| SHA1 | 82a6a21c2dd0a9d5f580cb5839c8dd2c125e1195 |
| SHA256 | ebadcc64192e59a88d2d3a4179fa096a5803ed755338364e7c7e1d8bb50f2da9 |
| SHA512 | 7c606506469750e087a3eb344cf915b1ab18e5510814c65e3f0b192f7c7fe363faed5043907eb94a0bbf75f350c5fc7796eae7e5134443cfb9daf24c8cad3d94 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 565e1249177e56772c4395a8a243658e |
| SHA1 | 3702479149820077879d466cef926b74cf5e2526 |
| SHA256 | 53f3e8e6d0f6a626dfecad0252749e1c3333872d3cd8067167a1bf43ca560eaa |
| SHA512 | 4ab2f54d169ab24113ea5fb7ab1445e714510ad0f34c725027ef6daf6155b83e37106bf27acb34918e8aa9a652cc5f3626d4a719995ff5f0fe50efc05bf57e6f |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
| MD5 | ac009056a9a910283cd51cc59b7a722b |
| SHA1 | ac36eb2bdd89ed4f0b73004401a1fddbdc440d17 |
| SHA256 | 8140946892b05df732b052bf1ac6891a36f44b33c4adf26f86d63da6f6d9be24 |
| SHA512 | ec7b1135a2fc20dcfa94721ad3b3d0ca00fdd33fdb38d1fad632ccd5543a3d76ccf2e7fad14343dd68a4a28918d3979108dd77be305feed0eb5e808bdacca88c |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
| MD5 | 7758bb3ed545ede0c03240e9364baf63 |
| SHA1 | 4211bd3232f3860bd53adc606f71471f1ebe30a2 |
| SHA256 | 0496b3f1c5f2edf7205c55f51eb67491c1231b4917d938ccc2d51a10b968eec1 |
| SHA512 | 842be47143e162e8c590a071845b398c2a5ea75b43c2ae1cdaf3fe1982bc6ba4f45c058771ef745f7ccf13e75d5cfc6e03c329c41adeb85b97b68b0571fb5b88 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE
| MD5 | 41ca57eea813ec4b42443166d9628030 |
| SHA1 | 1d2741ec151c444b8209493c1632ccd60be58ec0 |
| SHA256 | 55ac9a7fc6de36d07f859c60b27a82c1debce76012e625ba645a2125a0df0209 |
| SHA512 | 631d52b69c8f2b9e64647ba5e8df61c4848893a354bbeda4b50fdf9e4cd539d264f1ef83490315f7eaa5269fed1227331db562c456e34d2347bd41b99c4d1996 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | b5bf7d345d70bffc758499f450581d70 |
| SHA1 | 1feb2e17b78a23c1c5434a4307c63096fdf15c2d |
| SHA256 | 226c2df59e304ef4841352080d21b9d451a8059327194073d0480a0889ada7e1 |
| SHA512 | a2e9f30434401b91f7b1a5edc5c5a24f7e32248bd5e8e599c933acb354eda599f8d282a6f3bb5c41a54f9c14c33ea200c5bed01d92529729763bebb47aacd198 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{A7DDB~1\MicrosoftEdgeUpdateSetup_X86_1.3.185.17.exe
| MD5 | fe228d0a2f5a3ce3118c2bb607989a06 |
| SHA1 | 7a31b55464e47b238802d1cfb46e571900f8a765 |
| SHA256 | 11a25dab58411c256e143cad2adf53a16147da19f018d437bcb527ca730599d1 |
| SHA512 | 3dd98f4407e60f1aa6a41b5a31cecd386060296f349702e4962bedfe4fd2d605cb88efec39871941e16697018a89b30ef3cd77ba7d7b854a3c20d35c6ed9671c |
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
| MD5 | c5aa9201dad7be7afba7c4a37ae03bda |
| SHA1 | c7fab7c4205e5ecbf3180bbbaa31c96c672bba56 |
| SHA256 | 1290cfd1f8c1ef1c9fd2455dfaf734c193144cfc0912db7aafdb86604be1a95b |
| SHA512 | b83737c46febd56b7ec1ada72c49de9ab92a8d74ff4c05a34c99832e6c2c271ed8c0a86b352db9b2dc4481398a0c939105f8a2c7c7e4af5e274fed24875c8907 |
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
| MD5 | df7cee439e5cd5a673926dccf9f0cd35 |
| SHA1 | 903243d0622fefba0d8e6e1032f8eb0ad1cfa45a |
| SHA256 | 5dea12120b3f00b6078c95e7b5427ea08ac6248e073d1bf8fd7285228ef91d2d |
| SHA512 | b048c3617d45c7913c214f769a22c3e2aede17606aec9391601a0e2ecf1c7c706baf8317fb24419d83786f685cbd9b3bd1bdead3bc25ec39cb20b924f37b5434 |
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
| MD5 | a7e69803f3ab9e4e9823ec2be2803d10 |
| SHA1 | 373a836c2e67bf9cb088b3a6dcc636831083eff8 |
| SHA256 | 3a988dd386a123de5a229cd689a42aa93574eea1eea4d90db1569fb498af8af4 |
| SHA512 | dee27febc7c82617baafa369951221d7b396b3d75143808cc3b25a9d2303d7b1929c57ea03a383d6eb9282f706835f56fc2badcdceeca7d8ae58eb47a3fb82e7 |
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
| MD5 | 1bc5c626b1a211578410478e77d702b1 |
| SHA1 | 01140b928fa0fc52dbb7ba25a1d5e116e89c0255 |
| SHA256 | 457250a282f66f9eba24f95df32df5ea0836c895e14e48215057dc1d6e2b1825 |
| SHA512 | 7ccbcde896ba105c775d1f6d593fe3a0da1c02b8e2012a02b68fb248fa1cd9ef9eca15263d408c6862ece64afca84fe0e38bd59e81fd5ca8b6de3de9d02d2cd5 |
C:\Users\ALLUSE~1\PACKAG~1\{FB050~1\WINDOW~1.EXE
| MD5 | 86e43ccea579b0949bd4950985de148e |
| SHA1 | c7dfcd6563bd6ce5f8bc3b16397a5a6f17e99851 |
| SHA256 | 2e333569042454f8b97298eedd4e5750a9407c69f122f851d93d47d5985c0116 |
| SHA512 | 904310d64512cfe811026868ff77311e9d4e42f887f266d78dd71459ceee7da91fe37de08872f3cc982e4a800fc3b8e1afbfdfccd12b5b6275e9c8bcc9ef6dfc |
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
| MD5 | a229ac2efdc1e3fbc0c614250b16a50a |
| SHA1 | c6e17ee74c0dda9c58a6e997193bbd51c34bd5b6 |
| SHA256 | 448ca9c6db39574a88f6250a8116f0931c8d02e9bc3c1cac620434e87b0e027b |
| SHA512 | 34099d2ac0cf13f43049f946f40a0d644d453659fb89468d045356fdb9ba2363f6243bedd8cec6a73a8427d385c03be99777e5ac48aa509a6c09879a486ebec4 |
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
| MD5 | 982ab6c4782654eb0f761ddeab3d0ca0 |
| SHA1 | f675b7b3c9905ec4c08ec1a4c006aa962546446e |
| SHA256 | 70a1376de15f83347273c0ab48867df859f4f38c178e8318c0865028b7aa88cd |
| SHA512 | e9864c1d7f4f5728be2ea239e34fdb93083b229c88490cf2ad1b42261334b67a029d9cbe662254aa49e4b40810181621349ab1362c5b611a22a4cf79d1009b8e |
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
| MD5 | bd1ce0caa7f93b6940e6441c301c5d9a |
| SHA1 | 20a74ea18d84788956c17d17dd5869487d96038b |
| SHA256 | c8ba56ac78a785068782bc85b0cabfd5df2d8f3b9aab556cc45b695c3c0b947d |
| SHA512 | db0c77343810bd641aaf58927e6f05b67732a22912225e7abb87dc9a61842c3625bbdf4343e433335085b32cb1b90a75996673fa12144bdea4a5b31ca5db0381 |
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
| MD5 | 8fac508d109bced98bc5d67de6b7883f |
| SHA1 | 0182012f6cd89a29f7df4d9967c5e5ab50597ad0 |
| SHA256 | f0711baa74e7298cfd0ee1092556fa0163be5b83fc8ba681699cab5d189d5441 |
| SHA512 | 2882d20d8736ddd91dedb469919aadb9bdee5ffbfc8bb8a94c23c8cc464ba398bcd7ddcd00388fe3bc6b3601b09701374b62d5a518bc081d5e5792a8ec20f6f1 |
C:\Users\ALLUSE~1\PACKAG~1\{17316~1\WINDOW~1.EXE
| MD5 | 3522785e41b77012ef64c8f1fdf50bfc |
| SHA1 | acec22ddd800a6bf77075147c49e6f92bdc3d17c |
| SHA256 | 85e4d234a814e480a17a68f2d3c268d7772540c9ea4910a86fdc711733ff5d48 |
| SHA512 | dea95b01b2f12a599938f959d57ee33751c0348cc78b54148e7ac5a227b59b80b978fb170c0cccde186fb75e1c3d06aa5e189365b542b2c9d06ab0e2725398b2 |
memory/1524-249-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4820-250-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1524-251-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4820-252-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1524-253-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp9E34.tmp
| MD5 | bbb796dd2b53f7fb7ce855bb39535e2f |
| SHA1 | dfb022a179775c82893fe8c4f59df8f6d19bd2fd |
| SHA256 | ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b |
| SHA512 | 0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b |
C:\ProgramData\Adobe\ARM\ArmReport.ini
| MD5 | 4600ea83e72c40d5b6d25248895c4d66 |
| SHA1 | 666d119fa0398adce7093f434fc15437ca6913c5 |
| SHA256 | 4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae |
| SHA512 | 08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9 |
memory/4820-277-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1524-289-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1524-292-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4820-291-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC093.tmp
| MD5 | ec946860cff4f4a6d325a8de7d6254d2 |
| SHA1 | 7c909f646d9b2d23c58f73ec2bb603cd59dc11fd |
| SHA256 | 19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe |
| SHA512 | 38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
| MD5 | a500d9ab6933247c5e239d2f9f788452 |
| SHA1 | b72a0e9c073979d4089c75c48b93c756d544d9f5 |
| SHA256 | 46d4fb92294c243cce8fb369247da7e1fbae4dadf7c3fee29627a7b614f7147d |
| SHA512 | 536106b8f9ed0b9babab85370e433dfb45092a5dddeaa88675186cbf3776c790d6e724eef1dfe0840d0848ce394c603d255453d2f9d16b9edb576d9a2c611538 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
| MD5 | 2c60107e3ff713804aec80a212fb3768 |
| SHA1 | 333271913b534dd45ea43295df3a28187629e272 |
| SHA256 | 1187171a0c53c51cfb6ee33df765eb99eb8d96d2ffb7b1b07a0f4f293977a06b |
| SHA512 | a8512aa0d399b85178dac4760aa2941417c4c65b1c12dfa80c0f6fcfa8113589023a65dce28d6ef833522074f0b3590e03d51eeada8b3f007e88b62297e65412 |
C:\Windows\directx.sys
| MD5 | fcd1e994273477cbd76e6b7af9e403de |
| SHA1 | 9841df14247caed18cb736a6ed527a85ca39d771 |
| SHA256 | 236a28ea6148cbf86f9b9531bd1e786032d2a9efc756a7fb21ab5d15535f5f43 |
| SHA512 | 3bec986493e8fa5d499ad4c44fb3b9c206aef789af32763ef87672d56fd86c2c1b670fad9facaed8c91b3f7cb8a23ee8e2928e73bd5b4a8efd9125ac6017cf27 |
C:\Windows\directx.sys
| MD5 | af3000fe82c8d816511e492d8cc6d631 |
| SHA1 | 5ab536c38954ee7d85122a6ae4f8b115fa7afd12 |
| SHA256 | a137e588eb1593df8cd0298917aee947c7af745ab6bba0d47f7902cf602978a2 |
| SHA512 | fc2bb94b2f06346df124adb2aa6bdf891b297eb34004b751d3f5a4fcb0160118e2125adb797e1915e57d0baa8c81b71718629d0c29c82342d0782c36dc7e2d5c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
| MD5 | fafcff087a9a2e0bc5097f1f18daac62 |
| SHA1 | f5c323c8a28d1992ea074a1dee6ecc1beb749c69 |
| SHA256 | 8bed44823706382b3848534e1cc9d26d90511d1f195fc08f6be0045f415377ce |
| SHA512 | 30e43cab53dd0ad56a27532bf1cc832ad1f06120559c06eb298f59da5008e448a60396e7d7937451f4b7fdfb02e128b8c8765f52d1e0a3b65d452bd3367d49b3 |
memory/3476-404-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
| MD5 | 56193e42d9c6a704a9b028a46f402520 |
| SHA1 | d69a7fce31c549c0b9102a69d732e0a222bcabaa |
| SHA256 | 106a421465bf102ce8b4ed8a0bfd5bb6b1b7573cfab0272d7b27258768eadc85 |
| SHA512 | d9b151e679701b505547cdd046ec87920bf02a497e10ce9bce8d624301ddad38794733db4335d5b1163966e866d7f2b2b7246bf90bed0966ca2a2926f64b4244 |
memory/3476-408-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC2F5.tmp
| MD5 | a58599260c64cb41ed7d156db8ac13ef |
| SHA1 | fb9396eb1270e9331456a646ebf1419fc283dc06 |
| SHA256 | aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2 |
| SHA512 | 6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
| MD5 | 4c499b0e6b236dd734bd4b36b12a498f |
| SHA1 | a6d54e0dc09026d19c879c80a7e0631c96344591 |
| SHA256 | d7bbe8631a8b5327a56d09d77d79069b833045cdc49a335ce7317ed02277d6e4 |
| SHA512 | 6deae3f1684bc1df4cbbc35c333561a70a5f78c30c269ab2b13e5166fd48f3fa5cde0fc7f50ad6f7c27e14406bb97c170c56e1f82284f7898a2f870740a90781 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 21:59
Reported
2024-04-11 22:01
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
"C:\Users\Admin\AppData\Local\Temp\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe"
Network
Files
memory/2156-1-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\6619cb6cc78d3a64331de1c0766820eb99be5d82d931fd94624cc8b730d9ac2c.exe
| MD5 | 736a3cad4593c9e478cc3ea13f1fa634 |
| SHA1 | 79fd81761920001c3394bcb1e36892fc95b1fe4a |
| SHA256 | 9977725432104dd5286ccfd06b485c8fdf7cbd63143ea62ea5e218e5768c6703 |
| SHA512 | d4a54d783a5491c24e91cc96b56748a0684342125cee3c17f85ac6f86d8148b601814159c1df52f71df874b52d5713d70aa51ba981f2dcc7fe5b07f9d068ee6d |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | c45cf2a33e9baf285a62fda59e805e86 |
| SHA1 | 53f5f36f090e797c53107e74e03e955191d9c1a0 |
| SHA256 | 192e54d8fb639333feb3bce452e207af7e7ec5fdcd0562f75783d72255a3c3ed |
| SHA512 | 0b23362c67edbb2dd500f0c6c0f4c7656afdbd159e5c9f21eb62030f341cc9f804491ed33a20bc80670497c96ecc577f8d2965ebe9499840333bfc1e0a6719ac |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
memory/2156-85-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2156-87-0x0000000000400000-0x000000000042D000-memory.dmp