Malware Analysis Report

2024-11-13 14:59

Sample ID 240314-ep92nsaa9s
Target 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f
SHA256 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f
Tags
neshta lockbit persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f

Threat Level: Known bad

The file 286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f was found to be: Known bad.

Malicious Activity Summary

neshta lockbit persistence ransomware spyware stealer

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Detect Neshta payload

Neshta

Neshta family

Reads user/profile data of web browsers

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:08

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:08

Reported

2024-03-14 04:10

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lockbit

ransomware lockbit

Neshta

persistence spyware neshta

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 2928 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\4624.tmp
PID 2928 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\4624.tmp
PID 2928 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\4624.tmp
PID 2928 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\4624.tmp
PID 2928 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\4624.tmp
PID 2744 wrote to memory of 1624 N/A C:\ProgramData\4624.tmp C:\Windows\svchost.com
PID 2744 wrote to memory of 1624 N/A C:\ProgramData\4624.tmp C:\Windows\svchost.com
PID 2744 wrote to memory of 1624 N/A C:\ProgramData\4624.tmp C:\Windows\svchost.com
PID 2744 wrote to memory of 1624 N/A C:\ProgramData\4624.tmp C:\Windows\svchost.com
PID 1624 wrote to memory of 888 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 888 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 888 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 888 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

"C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

C:\ProgramData\4624.tmp

"C:\ProgramData\4624.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x148

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4624.tmp >> NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\4624.tmp >> NUL

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

MD5 99bcce4f1d96c6ef25c157c9762d7fba
SHA1 85125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA256 2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512 aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

memory/2928-14-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 aa82718bd630e731e21996feca27c2fe
SHA1 6108f0cb61c1df30d0cb0cc2ebe2e470f66e3e43
SHA256 d599b5f20b6992598cbfc5771a881cc5351e7b3d5ddac61a645f834e737bad98
SHA512 7d90dda00d04121f046a6c20c30164545fc18d3d538d99f267cc68711442cabd5d57076752b39fe33733b04a7c3f0408209575f7f3585f576097949a140fc9a7

C:\Users\sdBuuG2px.README.txt

MD5 9257599197e160831a8972821e99946e
SHA1 899c5be2eb951591e4cbe93a81066565d77f5117
SHA256 992d119c71ecb1609faf224e8ff38fa696a08d58172ab4d04296debce92d3170
SHA512 1a8815242f2521973eac113d5e26512f00a27c039ff1a65fcfb6eca6c1b267a4329927bb3fd8b0c0b863dad2d030c53b23ec788fbf21386f1a1268f7ec489d8c

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

MD5 3a7f68f98349a262be09b3a54624f283
SHA1 f05bc5a25d2104aa0a89d5fe05e05d4645609a68
SHA256 a39dccbb9ed85f7ee6b1ad8d1a637306e06f81f568e1fae6596fe4da39ffce2e
SHA512 ff5b712f7f7a241dc9229b5291ba23f3d78c35fd666714791bacaab106c85aebc1c881d0b4338698de8824114729e7dbdd3986748dd5c673be33901db90599ad

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

\ProgramData\4624.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 68782aa209795f91c61271edd92120cd
SHA1 6a8f3aec6f8eae4da69a905c49998a2b272f1c84
SHA256 0cc57d96c53e13fde6cbe05fc38fa436320d41cab10c67b92b9d5db0c18ebef9
SHA512 abd14c8201a2e3a06a64ef9d4f64656c8ebd76adafd2c98b78f37741a633287323acce41b11550abbc36cc935fedd69d13ce628cba410d59310124cff4ad0565

memory/2744-399-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2744-397-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2224-433-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-432-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2744-431-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2744-430-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2744-429-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2224-434-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2224-435-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-437-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2224-436-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2224-439-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2224-440-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2224-441-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2224-443-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-446-0x000000007EF60000-0x000000007EF61000-memory.dmp

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

memory/2744-448-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2744-445-0x000000007EF40000-0x000000007EF41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 e838aeaec907e4e751d289d0f3885adf
SHA1 3ed965b4f2656e44e9894d07afe981963c173f24
SHA256 dcbe10f5af82bff412cdb24620c0d1ead63ac89c963c0a88ca680d832b448ab8
SHA512 fc31e3a679a7f200a834577bb6f288a183b8058810e7a6cd3adde5e8546a5dcdf2408f368861a79d66a4b00f42290ea27de6e20d0dd0692f9176796badacb036

memory/1624-454-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-455-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:08

Reported

2024-03-14 04:10

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lockbit

ransomware lockbit

Neshta

persistence spyware neshta

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\92DB.tmp N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPv3hd27bpzks8xux6ipqo6oaec.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP30ugzr3m2kp01639l6rgxh0u.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPt899z3v1cp0b6ucwhv3vi8t7.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sdBuuG2px.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\ProgramData\92DB.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 3104 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 3104 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe
PID 4652 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Windows\splwow64.exe
PID 4652 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\Windows\splwow64.exe
PID 3940 wrote to memory of 2608 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3940 wrote to memory of 2608 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\92DB.tmp
PID 4652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\92DB.tmp
PID 4652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\92DB.tmp
PID 4652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe C:\ProgramData\92DB.tmp
PID 4360 wrote to memory of 4748 N/A C:\ProgramData\92DB.tmp C:\Windows\svchost.com
PID 4360 wrote to memory of 4748 N/A C:\ProgramData\92DB.tmp C:\Windows\svchost.com
PID 4360 wrote to memory of 4748 N/A C:\ProgramData\92DB.tmp C:\Windows\svchost.com
PID 4748 wrote to memory of 3876 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3876 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3876 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

"C:\Users\Admin\AppData\Local\Temp\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{16169DD0-6581-4DDF-8D09-77A5B97C122C}.xps" 133548629023020000

C:\ProgramData\92DB.tmp

"C:\ProgramData\92DB.tmp"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\92DB.tmp >> NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\92DB.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f.exe

MD5 99bcce4f1d96c6ef25c157c9762d7fba
SHA1 85125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA256 2e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512 aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47

memory/4652-10-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/4652-11-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/4652-12-0x00000000027E0000-0x00000000027F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\DDDDDDDDDDD

MD5 3707665e2e19b050dcc8b824b48db163
SHA1 a9025e94f3001b4ad52d62dbc5459928e797671b
SHA256 b952de0ba8d532c651947a1bde26b26367050f38260dd00eb1c142926e907f41
SHA512 c723223ed3325610d94f78dd351c99a890534ea295aef9bc32ff805605382f3f7aec8701a3c8ee5ead3e1418e94d57fa722487ee1b67dfc3903ac8aea61eb1cd

C:\Users\sdBuuG2px.README.txt

MD5 492fa217c781e01582e5edb7a180b343
SHA1 40027558c381ce6798a5b58a4d760be07616b5af
SHA256 65962c9200871eba3b2cdad318c7a0e7b8197a515cd6eee8b5345cfbae4f352c
SHA512 0436369dc0727a810eed168bedce59d3b12ef73b925edaf86c51081fbe2252ebc7ce08d4592ac0de4e96315f4cedd9f068a9a8095b1d64a9e1fa235fbe981ee0

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\DDDDDDDDDDD

MD5 6aa0144b2e042f1e9a9574f9a2d0df2f
SHA1 4d245ba5c69c486fc9cdc74e014c75705c75ff87
SHA256 8b5a7e6d4bcaab3f658c328ea9b8d354287ca5b4ad241261a17f4de32166be90
SHA512 e64a9ba808a0e9d22a154b610170ed2b1924e9c3f9b34f92f117c667dc2f6578eb4792b25ecc28be3aa01b59394d5a4cca46b896ac46483e9ffa079c5a306aa5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/3104-398-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3104-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2608-411-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-410-0x00007FF9A5D70000-0x00007FF9A5D80000-memory.dmp

memory/2608-413-0x00007FF9A5D70000-0x00007FF9A5D80000-memory.dmp

memory/2608-418-0x00007FF9A5D70000-0x00007FF9A5D80000-memory.dmp

C:\ProgramData\92DB.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2608-416-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-419-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-421-0x00007FF9A5D70000-0x00007FF9A5D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 83fc9b3159da9da4a8712bbb16680321
SHA1 371f3b1da816a0ca34a4b621efcaf869bd582ef3
SHA256 a46d29b169abbd56c363ffab67eb9147eae02af082924dafa8695b5ff3063554
SHA512 a542d9b8d5668fbead1cf73f62ca332f01589d1d60f7190ea4b74d8980ee2efd78d853bcd05a2e04c55a25bad0bebad53632b097399b00ae0ba1c20456b5c7ac

memory/2608-451-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-452-0x00007FF9A5D70000-0x00007FF9A5D80000-memory.dmp

memory/2608-454-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-453-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-450-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-455-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-456-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-459-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/2608-458-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/4360-460-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/2608-461-0x00007FF9A34C0000-0x00007FF9A34D0000-memory.dmp

memory/2608-457-0x00007FF9A34C0000-0x00007FF9A34D0000-memory.dmp

memory/4360-462-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/4360-463-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4360-464-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2608-465-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/4360-466-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3104-468-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 931b4ed0a95fd45f8eb63c89bbf5fad0
SHA1 124d4b2469cff6322f4573c65d89d796b9348ed4
SHA256 274db83e9afc6bacf68f95bef55db4ff861c18989c3dab7cb9b1e43e3519c44f
SHA512 9edc6dde3bb7a3caf21da2aa0c65a20bc57f3e45a75c51118e8e98eec83d33d3a228fe781a3d1c1b5aeafa1923048832b458cb7a996e35930c4e039d1ab05952

memory/3104-487-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3104-491-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2608-492-0x00007FF9E5CF0000-0x00007FF9E5EE5000-memory.dmp

memory/4360-494-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/3104-496-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4360-498-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/4360-499-0x000000007FE00000-0x000000007FE01000-memory.dmp

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 16ebc67874bd1b1d0ee50cd8524f2bba
SHA1 7d4846a4038ebb1c678bffb83588cb5642a4d8b5
SHA256 a58352f4d5e39518b537caf7dac7a26ef83742b0cd0b8181a7b6e5013b928c6e
SHA512 cf507b0f60b0e285f326a191884ea144058ce38de4870d5ab0e6315e1babbc95cb776525412275d09cf18341413985d5106bd57b54a74d08125dec2514265757

memory/4748-507-0x0000000000400000-0x000000000041B000-memory.dmp