Malware Analysis Report

2024-09-11 03:12

Sample ID 240519-yctzgaec57
Target 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0
SHA256 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0

Threat Level: Known bad

The file 2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0 was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Executes dropped EXE

Checks computer location settings

Modifies system executable filetype association

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-19 19:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 19:38

Reported

2024-05-19 19:41

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

Signatures

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2772 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2984 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

"C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

MD5 36237f67229d22e30adb39ef6d31d123
SHA1 7f46b4633a8e2c345816b1793fe02eaa695a91cb
SHA256 f832d64b97f085f3acc071f4f035472bc65c0e9f91e6a9c5413943da80f6fdcf
SHA512 01437e820d4054082f3d7829bafff904f736890c8cb40ab8e9e81c987ca7ee5808da725ee85aca9a18028042a46dcba0a055fd50a32ccff2036a87780c1f8c90

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 754309b7b83050a50768236ee966224f
SHA1 10ed7efc2e594417ddeb00a42deb8fd9f804ed53
SHA256 acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6
SHA512 e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

C:\Users\Admin\AppData\Local\Temp\nso8F65.tmp\TvGetVersion.dll

MD5 63a1e68cac00ced9a223a63dfef18fb2
SHA1 ed06a5a6feec468ad1860f3b43fbfbbe90ec9eea
SHA256 aad1cf72dca9ba974257991d9299be7bbf3e02c26b23fc72a9710cde34e441c2
SHA512 48bfabe6c54e7a5590814bfa8db48c519b85d5565c4d5b344aa5357e14dc2a69e23d158b76e6eb2c9f44c4c811590c118d092864dc18b02f592d76c73601e67b

\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

MD5 88b755bdd635d5d10f49823a3e9fe775
SHA1 568e684b1a3eee0b8511523e8658916e646f214f
SHA256 372400dfe62c18b70e408723319856a853bf5694ec864e6ab8bf1d5b8fb4f88a
SHA512 bee2498686011c37f29c63edccd4a31489c92039298a676e18a085cbc08f3b09383c35d28619bdd8cda705e6549c5585304558d834fc6c29003dfdb925fe73ea

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\start_unicode.ini

MD5 1509714929f3c77b929fda542207d98c
SHA1 b955f918b1f0a1669017af939070789fa325f2bc
SHA256 b76e27078dd3b56b8270d45d2747bfe1406ce18e52d22dea154d306dafad2312
SHA512 cb683846fbb35d69d57f636bf5e10db4150393cbea831101ee25107be65d95de29bf550d13d8a0567b96a93c6a80d10f5f821b888aa5227b995a9bddd3916b7a

C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\advanced_unicode.ini

MD5 8b3e104f11c5d046bd93df4e9fb40f4e
SHA1 0362bb65744a07563dc05cd612dd54a865233d79
SHA256 cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1
SHA512 edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\InstallOptions.dll

MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
SHA512 13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

C:\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\start_unicode.ini

MD5 2812313919a4ffba55d1a5e116f9b4bb
SHA1 c8d04ecbb89056e4d3110042869e48aaf014979f
SHA256 31773446151248f732c087a5c47cd244e931f57efdbb53ff3f964d8f703ef813
SHA512 8037e1d9109842f8dbb5e113e587fa3b216ab24c7f8ee05f9ef3894908a51afc26d0ec8e47a4dc1d0455f727c5b75497817b8797da1dc8ff080f88afa8b13db4

\Users\Admin\AppData\Local\Temp\nsd91E5.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

memory/2772-360-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2772-361-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2772-362-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2772-363-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2772-365-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 19:38

Reported

2024-05-19 19:41

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

Signatures

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2352 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2352 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe
PID 2932 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2932 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
PID 2932 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

"C:\Users\Admin\AppData\Local\Temp\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe"

C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 70.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2372a95d3d6d087102411165a027aafbe7994d73774f96c89394a8c6050009f0.exe

MD5 36237f67229d22e30adb39ef6d31d123
SHA1 7f46b4633a8e2c345816b1793fe02eaa695a91cb
SHA256 f832d64b97f085f3acc071f4f035472bc65c0e9f91e6a9c5413943da80f6fdcf
SHA512 01437e820d4054082f3d7829bafff904f736890c8cb40ab8e9e81c987ca7ee5808da725ee85aca9a18028042a46dcba0a055fd50a32ccff2036a87780c1f8c90

C:\Users\Admin\AppData\Local\Temp\nsa2ED1.tmp\TvGetVersion.dll

MD5 63a1e68cac00ced9a223a63dfef18fb2
SHA1 ed06a5a6feec468ad1860f3b43fbfbbe90ec9eea
SHA256 aad1cf72dca9ba974257991d9299be7bbf3e02c26b23fc72a9710cde34e441c2
SHA512 48bfabe6c54e7a5590814bfa8db48c519b85d5565c4d5b344aa5357e14dc2a69e23d158b76e6eb2c9f44c4c811590c118d092864dc18b02f592d76c73601e67b

C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

MD5 88b755bdd635d5d10f49823a3e9fe775
SHA1 568e684b1a3eee0b8511523e8658916e646f214f
SHA256 372400dfe62c18b70e408723319856a853bf5694ec864e6ab8bf1d5b8fb4f88a
SHA512 bee2498686011c37f29c63edccd4a31489c92039298a676e18a085cbc08f3b09383c35d28619bdd8cda705e6549c5585304558d834fc6c29003dfdb925fe73ea

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 d9e8a1fa55faebd36ed2342fedefbedd
SHA1 c25cc7f0035488de9c5df0121a09b5100e1c28e9
SHA256 bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a
SHA512 134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\start_unicode.ini

MD5 1509714929f3c77b929fda542207d98c
SHA1 b955f918b1f0a1669017af939070789fa325f2bc
SHA256 b76e27078dd3b56b8270d45d2747bfe1406ce18e52d22dea154d306dafad2312
SHA512 cb683846fbb35d69d57f636bf5e10db4150393cbea831101ee25107be65d95de29bf550d13d8a0567b96a93c6a80d10f5f821b888aa5227b995a9bddd3916b7a

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\advanced_unicode.ini

MD5 8b3e104f11c5d046bd93df4e9fb40f4e
SHA1 0362bb65744a07563dc05cd612dd54a865233d79
SHA256 cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1
SHA512 edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\start_unicode.ini

MD5 0b8115fe3dd07cc17ee81936af806223
SHA1 f6a2c779ad42985abe5acbec980c84ea55b1845e
SHA256 3aff09587d5207c4c3d63b63accee78d5debe47e5ba9c71810508d6c38910b88
SHA512 02a74e8c3520fc77be407585aa900e10f7a9e00b53b9b700dc6916e1c12791e4fa15cb9c1eb88e48de2f742b9f00c106c3418aaac911ba25223487909ffc5427

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\InstallOptions.dll

MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
SHA512 13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

C:\Users\Admin\AppData\Local\Temp\nss3376.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

memory/2352-372-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2352-373-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2352-375-0x0000000000400000-0x000000000041B000-memory.dmp