Malware Analysis Report

2024-11-16 12:21

Sample ID 240413-l1mtvacg22
Target PO No. 44 Master Group Trading & Contracting.exe
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532

Threat Level: Known bad

The file PO No. 44 Master Group Trading & Contracting.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 10:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 10:00

Reported

2024-04-13 10:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2004 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Network

N/A

Files

memory/2004-0-0x0000000000F40000-0x0000000001012000-memory.dmp

memory/2004-1-0x00000000745A0000-0x0000000074C8E000-memory.dmp

memory/2004-2-0x0000000004F80000-0x0000000004FC0000-memory.dmp

memory/2004-3-0x0000000000390000-0x00000000003AC000-memory.dmp

memory/2004-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2004-5-0x0000000000470000-0x000000000047C000-memory.dmp

memory/2004-6-0x0000000005C50000-0x0000000005CDC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YLTV4YALF482VXZI7C9U.temp

MD5 24068134b288c9515a01852a37f9b67d
SHA1 57201b8e5a7b12880535952b54095580cd772bdf
SHA256 4119a2179790f86689aaec9cb61d5842c1166edc9038441938f1663170952510
SHA512 dee6fe95b6cba410b57f287401d488de6d392daf40126f667b77aad429d533a1175f0e8f95b5c673de935e543e12c11f8fb4c9a12963b8f5436807f757096e18

C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp

MD5 3134cb6dc9a251692a2eaaa7cb9057c8
SHA1 49c11ed40bd47093de6c669a87e406e330a258ce
SHA256 3de4b4de41bed4518acb3300fb75eee0ca7e161f219224dca20d906f5cc8ef4a
SHA512 57ca3c27f8b753c742007380494e4ac856ff56f9192e522f1e1906783e331597e36a520d887f18d5c74d5ce192c1310d84bf7b4280fe3ec0875787f0cf91e8f0

memory/2748-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-22-0x000000006E3A0000-0x000000006E94B000-memory.dmp

memory/2748-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-20-0x000000006E3A0000-0x000000006E94B000-memory.dmp

memory/2736-24-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2748-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-26-0x000000006E3A0000-0x000000006E94B000-memory.dmp

memory/2748-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-28-0x000000006E3A0000-0x000000006E94B000-memory.dmp

memory/2748-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-30-0x0000000002E50000-0x0000000002E90000-memory.dmp

memory/2748-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-32-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2748-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-34-0x0000000002E50000-0x0000000002E90000-memory.dmp

memory/2748-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2736-36-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2748-37-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-38-0x0000000002E50000-0x0000000002E90000-memory.dmp

memory/2004-40-0x00000000745A0000-0x0000000074C8E000-memory.dmp

memory/2748-41-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2748-39-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2748-43-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 e33fd58013493b59b3dfddb983a37927
SHA1 887015c06a5ae1d10d890bceeb6c1f9a95e27a72
SHA256 a63ed28f75de225b0ec2020c253f9cb397a7282812d6aa6bb9d47d8dc4548b39
SHA512 5e25bdf22997367c828454eda5f3f4a51c11f8c7fd5c26cbe00d8a339652df9c48fb8bfec2754977ffa82e55dd1de1421765d88c06617cc9360e92332f052371

memory/2604-51-0x000000006E3A0000-0x000000006E94B000-memory.dmp

memory/2736-52-0x000000006E3A0000-0x000000006E94B000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QxvrCwK.exe

MD5 77fceb05a851e129ceac74ad35a49669
SHA1 9b2d4653f5aa38a9fc64e0eca19268e4da547b79
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
SHA512 e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9

memory/2748-127-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 10:00

Reported

2024-04-13 10:02

Platform

win10v2004-20240412-en

Max time kernel

96s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 4016 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 4016 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 4016 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ADD.tmp"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/4016-0-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4016-1-0x0000000000B10000-0x0000000000BE2000-memory.dmp

memory/4016-2-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/4016-3-0x0000000005480000-0x0000000005512000-memory.dmp

memory/4016-4-0x0000000005460000-0x0000000005470000-memory.dmp

memory/4016-5-0x0000000005610000-0x000000000561A000-memory.dmp

memory/4016-6-0x0000000008130000-0x000000000814C000-memory.dmp

memory/4016-7-0x000000000A7E0000-0x000000000A7E8000-memory.dmp

memory/4016-8-0x0000000002E90000-0x0000000002E9C000-memory.dmp

memory/4016-9-0x0000000006930000-0x00000000069BC000-memory.dmp

memory/4016-10-0x000000000B890000-0x000000000B92C000-memory.dmp

memory/4636-15-0x0000000004FE0000-0x0000000005016000-memory.dmp

memory/4636-17-0x0000000005670000-0x0000000005C98000-memory.dmp

memory/4636-16-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4636-18-0x0000000005030000-0x0000000005040000-memory.dmp

memory/4396-19-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/4396-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4396-22-0x0000000004D40000-0x0000000004D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7ADD.tmp

MD5 dd4b7c5a926df803b6d8c80bac8294b2
SHA1 d86ea95315d342d1d134695ff6f280485c95711d
SHA256 e1fb87da3fa2b6e5ada24c3af667c5d7ab8cb1423c692ef4489b134e6825aa22
SHA512 280b2faa2e1632c5db1f0deeda4d444db8697a23b6a91e34f9fbac571808b67f07e63fe65bc7c742524b2845ed05ed8c42cb042e42ee4ef891fdbc9d712295c8

memory/4696-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4696-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4696-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4016-33-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4396-32-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3evkowb.lkc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4636-28-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/4396-27-0x0000000005140000-0x00000000051A6000-memory.dmp

memory/4396-25-0x0000000005020000-0x0000000005042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\PO No. 44 Master Group Trading & Contracting.exe

MD5 57886e3196900b7df0c72dd68d70064f
SHA1 2d74b0bdd34615f885e53db417368725ea21a2b0
SHA256 42307edb22a10f3de80cae4df709339e53ac4defc20a40dbfe773741ddbc80ba
SHA512 86c0ee4a2caf3b59916a6398e6d36215b457b05d3720e84fc5f3e47a642ade87705f038c0bf9c4823860ecfe54b4de2f21dcc096b8b01592b15670e00c5d6e60

memory/4696-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4636-61-0x0000000006580000-0x000000000659E000-memory.dmp

memory/4636-62-0x0000000006610000-0x000000000665C000-memory.dmp

memory/4636-65-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4396-64-0x000000007F280000-0x000000007F290000-memory.dmp

memory/4396-67-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4396-66-0x0000000007190000-0x00000000071C2000-memory.dmp

memory/4396-77-0x0000000007150000-0x000000000716E000-memory.dmp

memory/4396-78-0x00000000071D0000-0x0000000007273000-memory.dmp

memory/4396-79-0x0000000007950000-0x0000000007FCA000-memory.dmp

memory/4396-80-0x0000000007310000-0x000000000732A000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 c0a853ba43630ec944ad3fdf2e6f3723
SHA1 497e73b82bff3625116e8f4050dd945ca48ceed0
SHA256 057bcd8e6fbb7cd75d6a55509743e1254bfbc773f745c77bfbe65726d2873855
SHA512 59e6d3801e78b0f6f7c7a384d3bd209124bd0a289a567108253fdec2b772df604f8921e63ca4510d6c02c575b4f2491aaea18b5c787a91f1f03f678398d4fef9

memory/4396-95-0x0000000007380000-0x000000000738A000-memory.dmp

memory/4396-96-0x0000000007590000-0x0000000007626000-memory.dmp

memory/4396-97-0x0000000007510000-0x0000000007521000-memory.dmp

memory/4396-113-0x0000000007540000-0x000000000754E000-memory.dmp

memory/4396-120-0x0000000007550000-0x0000000007564000-memory.dmp

memory/4396-130-0x0000000007650000-0x000000000766A000-memory.dmp

memory/4396-136-0x0000000007630000-0x0000000007638000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 294201b0ce3b1c5489b1facbc0e59d7d
SHA1 0b5b52f194226b999294df32303d80340985590a
SHA256 1a61816177c8bace9cb0661af1962249fcd135060072b71ee93bfb0aee66261c
SHA512 0d0757ba11b988e9f001a06ecd8bd0b5381bb31aca35a02433d5b2907c448601882b3748b9ea29b0363e856e02a2b3263f446140621869cd88fec0bcbc7bc971

memory/4396-161-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\QxvrCwK.exe

MD5 77fceb05a851e129ceac74ad35a49669
SHA1 9b2d4653f5aa38a9fc64e0eca19268e4da547b79
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
SHA512 e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9

memory/4696-179-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4696-181-0x0000000000400000-0x000000000041B000-memory.dmp