Malware Analysis Report

2024-11-16 12:21

Sample ID 240412-2qw8jaae4w
Target 76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe
SHA256 76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe

Threat Level: Known bad

The file 76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta family

Neshta

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 22:47

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 22:47

Reported

2024-04-12 22:50

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

"C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

Network

N/A

Files

memory/2772-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

MD5 24b9ba271bc87c8b9fc05a688923652f
SHA1 32db86ed51c1992aa4b70c05b02755494a765e0b
SHA256 73ead84989b57c0c655f5ad89fe207db0adece935cc4a5704a890c4cc74deed1
SHA512 0d3c36d5c462e5cdb1f0b81401dde9da05e4bad8bc2fd5ad7f8dd5d0bb5c0d28e67d6e36cb30ff0e167220292bd2cfeb68de0bf1f88a9b0adff8c5b703127a44

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 e0f2257e0ad4b04429c932673ead4884
SHA1 352fcc1fe1019cd069ab52b409b31bbd0a08ea9a
SHA256 6e11a49479c1d2b35f15901b0700e307712338f343e1c03fcfe715946fab5969
SHA512 d77e790e63b1b2307df2ef0bb774bcbfa5cdc716764050dfa055a23449cffa5c6f61759b0819712f3e3be06037cbc3469082ba2b02af990017f28658f0103763

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2772-84-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2772-85-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2772-86-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2772-87-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2772-88-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2772-90-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 22:47

Reported

2024-04-12 22:50

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

"C:\Users\Admin\AppData\Local\Temp\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 248.81.21.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/1904-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\76622c137db68b98079b71668b39f8bed0c61f065f95a272de4fd34e578f7afe.exe

MD5 24b9ba271bc87c8b9fc05a688923652f
SHA1 32db86ed51c1992aa4b70c05b02755494a765e0b
SHA256 73ead84989b57c0c655f5ad89fe207db0adece935cc4a5704a890c4cc74deed1
SHA512 0d3c36d5c462e5cdb1f0b81401dde9da05e4bad8bc2fd5ad7f8dd5d0bb5c0d28e67d6e36cb30ff0e167220292bd2cfeb68de0bf1f88a9b0adff8c5b703127a44

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 a40427e3788637e741fb69ea8d76cd52
SHA1 f8c8c7ec493e32a7573d90ce400fccd79fc98f31
SHA256 18dcc8fae245869d02b7db0edbe22ec57a30bdd51a64090452118a79ba194052
SHA512 e6b688d4ad0506c74db323b50a2588472f45e66da2a3456450aea96d93882b13662f8b3bbed7773180f5bec851a31d2e45262ecb9283b425c60c8caa06d56ca2

memory/1904-103-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-104-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-105-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-106-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-108-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-109-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-110-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1904-112-0x0000000000400000-0x000000000042B000-memory.dmp