Malware Analysis Report

2024-11-16 12:10

Sample ID 240716-btb4na1fjg
Target ef9d8b93ec0e5982998cf9ed09e07f1269798d094b5c331322fb2062a5075916
SHA256 ef9d8b93ec0e5982998cf9ed09e07f1269798d094b5c331322fb2062a5075916
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef9d8b93ec0e5982998cf9ed09e07f1269798d094b5c331322fb2062a5075916

Threat Level: Known bad

The file ef9d8b93ec0e5982998cf9ed09e07f1269798d094b5c331322fb2062a5075916 was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 01:25

Reported

2024-07-16 01:28

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 2496 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp"

C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

Network

N/A

Files

memory/2496-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/2496-1-0x0000000000A20000-0x0000000000ADC000-memory.dmp

memory/2496-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2496-3-0x00000000003E0000-0x00000000003FA000-memory.dmp

memory/2496-4-0x0000000000450000-0x000000000045E000-memory.dmp

memory/2496-5-0x0000000004900000-0x000000000498E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9EVRC8TLSJZEDPPP9RRL.temp

MD5 787a0c4e88f7725b1d4a75dcdb5115f6
SHA1 09a94b8090f4b12fd899de651407c65e37ac6897
SHA256 85e05bf909a25386880b580ec4508abdc8d118a393e1f9acec2162884af4ac75
SHA512 1d6fa527e2501ec800daac9f4013b8cf642b8c25b042dc0d6b7cc55267506345e95dad6f85c317dee00e7cbc541a33719413454f17edb58162099f0e552f1a75

C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp

MD5 995369b897ea292c7631dacf39ad95cc
SHA1 57d6ebb2de5032eb31ddbc5d23e8f3b7208360b7
SHA256 639947e0c472119ea611d2392ff42fc31aed2120ebdae48cac55897fd56de200
SHA512 e30b5079e12f7348dcd1b181a6c58550cdf9737e2a2da49cab63e39c7c297b930b6e721cba611bdbe866e6ba86d750aec7e5bb65547baf0479cca3b909241b16

memory/2768-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2496-37-0x0000000074A00000-0x00000000750EE000-memory.dmp

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 01:25

Reported

2024-07-16 01:28

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4080 set thread context of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe
PID 4080 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5B.tmp"

C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_6434907- JULY 31 2024 - SkyWin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4080-0-0x000000007447E000-0x000000007447F000-memory.dmp

memory/4080-1-0x00000000008C0000-0x000000000097C000-memory.dmp

memory/4080-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/4080-3-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/4080-4-0x0000000005510000-0x000000000551A000-memory.dmp

memory/4080-5-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/4080-6-0x0000000006660000-0x000000000667A000-memory.dmp

memory/4080-7-0x0000000006690000-0x000000000669E000-memory.dmp

memory/4080-8-0x00000000066F0000-0x000000000677E000-memory.dmp

memory/4080-9-0x0000000006C30000-0x0000000006CCC000-memory.dmp

memory/2344-14-0x0000000000990000-0x00000000009C6000-memory.dmp

memory/2344-15-0x0000000004ED0000-0x00000000054F8000-memory.dmp

memory/2344-16-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/2344-17-0x0000000074470000-0x0000000074C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA5B.tmp

MD5 6f58165171633a1dc6eac77c342624fe
SHA1 dcaeea31ee07d584706d28dbb94940cca6168aa8
SHA256 9090edb8935cafdc1a5b685b9db9dc4ef43d4fba2cfc62b308f68e5be8e1966a
SHA512 ec8dc9955b64ae0e22e85e8c579f804ae273d226a0c27cedba0c9129ed7beb76da0e4915c2be16bdcf97b9bc7d602d911eb1c29a2d03d46ec83a0e9510074680

memory/2344-20-0x0000000004C50000-0x0000000004CB6000-memory.dmp

memory/2344-21-0x0000000004DF0000-0x0000000004E56000-memory.dmp

memory/2344-19-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

memory/1732-23-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1732-22-0x0000000074470000-0x0000000074C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxsnjvh5.gss.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2344-42-0x0000000005500000-0x0000000005854000-memory.dmp

memory/3952-44-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3952-43-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4080-47-0x0000000074470000-0x0000000074C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\AWB_6434907- JULY 31 2024 - SkyWin.exe

MD5 ae303747897daf45e48698d2ae593960
SHA1 b9349e9bf97e84e1490450a6a71f364a8a18ba40
SHA256 6ad9d05e2f8ab4b9050da219cc18aef707fd79ff7ee6e108bfb5f1d262c26dbb
SHA512 6386c4b064a957481a52faf153fc93af4029f2ade078656a359a8e0398c0329df6a903062a16868dc69efb06489af61a52aeccea4958402ddf46315f0b6ff16b

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

memory/2344-57-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2344-55-0x0000000005960000-0x000000000597E000-memory.dmp

memory/1732-61-0x00000000709D0000-0x0000000070A1C000-memory.dmp

memory/1732-60-0x0000000006B80000-0x0000000006BB2000-memory.dmp

memory/1732-71-0x0000000006BC0000-0x0000000006BDE000-memory.dmp

memory/2344-72-0x00000000709D0000-0x0000000070A1C000-memory.dmp

memory/1732-73-0x0000000006BF0000-0x0000000006C93000-memory.dmp

memory/1732-83-0x0000000007360000-0x00000000079DA000-memory.dmp

memory/1732-84-0x0000000006D20000-0x0000000006D3A000-memory.dmp

memory/1732-85-0x0000000006D90000-0x0000000006D9A000-memory.dmp

memory/1732-97-0x0000000006FA0000-0x0000000007036000-memory.dmp

memory/1732-101-0x0000000006F20000-0x0000000006F31000-memory.dmp

memory/1732-102-0x0000000006F50000-0x0000000006F5E000-memory.dmp

memory/2344-103-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

memory/2344-107-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/2344-109-0x00000000070C0000-0x00000000070C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fbf69d3de91453537687f2cce3342ed
SHA1 7e8b7f997b8b75c04a93671900c295bb49cac28f
SHA256 c99a2f17e82890ea51e6180fe1d1cc4090cda402dfd8f53076476b7102ab05a0
SHA512 e7cd9710fdd1da96ab9ae7bc10397e9fc5719255c3add229cdff6b34e9e4f0cc2a4031fd1b16cb4288300011929f73ff4ca051ac064d5c7396817ad34a76de72

memory/2344-158-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/1732-156-0x0000000074470000-0x0000000074C20000-memory.dmp

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1