Malware Analysis Report

2024-11-16 12:20

Sample ID 240414-b5vp5sga7t
Target dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532

Threat Level: Known bad

The file dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Detects executables packed with SmartAssembly

Reads user/profile data of web browsers

Modifies system executable filetype association

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 01:44

Reported

2024-04-14 01:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

Signatures

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2844 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D55.tmp"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

Network

N/A

Files

memory/2844-0-0x0000000000B20000-0x0000000000BF2000-memory.dmp

memory/2844-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2844-2-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2844-3-0x0000000000450000-0x000000000046C000-memory.dmp

memory/2844-4-0x0000000000820000-0x0000000000828000-memory.dmp

memory/2844-5-0x00000000004B0000-0x00000000004BC000-memory.dmp

memory/2844-6-0x000000000D1F0000-0x000000000D27C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1e3e7d8dbff661bf93e004af762fc68d
SHA1 41ac6cc251281723b665dfa16a09f88bcdf612d2
SHA256 4d587b0efe016b02a8daefe58912802df2da312f78ea788a825d45004ac3c028
SHA512 2deff65129d381ebef9a5dae09b34a455c2dccfdf3d8dab264b04854745d9a4696ad7a19fc7e1cd325c678d0bb05be7544716dac433f63f30254f9e1db9ad8aa

C:\Users\Admin\AppData\Local\Temp\tmp4D55.tmp

MD5 3134cb6dc9a251692a2eaaa7cb9057c8
SHA1 49c11ed40bd47093de6c669a87e406e330a258ce
SHA256 3de4b4de41bed4518acb3300fb75eee0ca7e161f219224dca20d906f5cc8ef4a
SHA512 57ca3c27f8b753c742007380494e4ac856ff56f9192e522f1e1906783e331597e36a520d887f18d5c74d5ce192c1310d84bf7b4280fe3ec0875787f0cf91e8f0

memory/2628-19-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/564-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/564-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2004-22-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/564-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2628-26-0x0000000002B40000-0x0000000002B80000-memory.dmp

memory/564-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2628-30-0x0000000002B40000-0x0000000002B80000-memory.dmp

memory/564-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/564-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2004-28-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/564-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2628-24-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/2628-32-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/2004-33-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/2844-34-0x0000000074BA0000-0x000000007528E000-memory.dmp

memory/2844-35-0x0000000004820000-0x0000000004860000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 01:44

Reported

2024-04-14 01:46

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe
PID 2520 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EC9.tmp"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

"C:\Users\Admin\AppData\Local\Temp\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2520-0-0x00000000003F0000-0x00000000004C2000-memory.dmp

memory/2520-1-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2520-2-0x00000000055C0000-0x0000000005B64000-memory.dmp

memory/2520-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

memory/2520-4-0x0000000002920000-0x0000000002930000-memory.dmp

memory/2520-5-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

memory/2520-6-0x00000000063C0000-0x00000000063DC000-memory.dmp

memory/2520-7-0x0000000006430000-0x0000000006438000-memory.dmp

memory/2520-8-0x00000000027A0000-0x00000000027AC000-memory.dmp

memory/2520-9-0x00000000069A0000-0x0000000006A2C000-memory.dmp

memory/2520-10-0x0000000008FB0000-0x000000000904C000-memory.dmp

memory/2812-15-0x0000000005140000-0x0000000005176000-memory.dmp

memory/2812-17-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/2812-18-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/2812-16-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2812-19-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/3124-21-0x00000000030A0000-0x00000000030B0000-memory.dmp

memory/3124-20-0x00000000030A0000-0x00000000030B0000-memory.dmp

memory/3124-22-0x0000000074C50000-0x0000000075400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5EC9.tmp

MD5 fbfc742fae9659e8f37e7b75fcfd753a
SHA1 7bef9899a6e646414e71f4c07a5accc0b96ed3d8
SHA256 7ece9a464538abc8dc643a1c6098a6070c7efe504278efd2d9fe0e5e0aaac7e4
SHA512 4f68b83600a9d7643d48701ea794e1e23beb9508583fc00b0a1faaa2ab5c9579c803c0fbd6b5a2ecf9da48f0d8c8cf9927a920341898d64bd53055aaefbf0bd4

memory/2812-24-0x0000000005740000-0x0000000005762000-memory.dmp

memory/3124-25-0x0000000006280000-0x00000000062E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5xwumsp.r15.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2812-31-0x0000000006100000-0x0000000006166000-memory.dmp

memory/2812-45-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/4660-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4660-47-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2812-50-0x0000000006720000-0x000000000673E000-memory.dmp

memory/2520-51-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/4660-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4660-53-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2812-54-0x00000000067B0000-0x00000000067FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532.exe

MD5 57886e3196900b7df0c72dd68d70064f
SHA1 2d74b0bdd34615f885e53db417368725ea21a2b0
SHA256 42307edb22a10f3de80cae4df709339e53ac4defc20a40dbfe773741ddbc80ba
SHA512 86c0ee4a2caf3b59916a6398e6d36215b457b05d3720e84fc5f3e47a642ade87705f038c0bf9c4823860ecfe54b4de2f21dcc096b8b01592b15670e00c5d6e60

memory/2812-66-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/2812-65-0x000000007F250000-0x000000007F260000-memory.dmp

memory/2812-64-0x0000000007680000-0x00000000076B2000-memory.dmp

memory/2812-76-0x00000000076C0000-0x00000000076DE000-memory.dmp

memory/2812-79-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/2812-80-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/3124-77-0x000000007FC10000-0x000000007FC20000-memory.dmp

memory/2812-90-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/3124-78-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/3124-91-0x00000000030A0000-0x00000000030B0000-memory.dmp

memory/2812-92-0x0000000008070000-0x00000000086EA000-memory.dmp

memory/3124-93-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/3124-94-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 c0a853ba43630ec944ad3fdf2e6f3723
SHA1 497e73b82bff3625116e8f4050dd945ca48ceed0
SHA256 057bcd8e6fbb7cd75d6a55509743e1254bfbc773f745c77bfbe65726d2873855
SHA512 59e6d3801e78b0f6f7c7a384d3bd209124bd0a289a567108253fdec2b772df604f8921e63ca4510d6c02c575b4f2491aaea18b5c787a91f1f03f678398d4fef9

memory/2812-96-0x0000000007CB0000-0x0000000007D46000-memory.dmp

memory/3124-110-0x0000000007E80000-0x0000000007E91000-memory.dmp

memory/3124-111-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

memory/2812-125-0x0000000007C70000-0x0000000007C84000-memory.dmp

memory/3124-134-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

memory/3124-149-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

memory/3124-177-0x0000000074C50000-0x0000000075400000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4aeacfe821e408bba214d55505857781
SHA1 cd8bb251a398684e126533459c045af3ac5f44fb
SHA256 69def35da17cb1bf9d9dd41cff7c1cf1979a5def17e620a2ae02fbb4f6f2c2fc
SHA512 7471485ba74799700e3e3170bc5b77cb4773c726c96298010ec70d4eba8ff3932e792fe762fe1a05e5c6f868f1f4ce53db1a03cf1b1b60306545211492592744

memory/2812-183-0x0000000074C50000-0x0000000075400000-memory.dmp

C:\Users\Admin\AppData\Roaming\QxvrCwK.exe

MD5 77fceb05a851e129ceac74ad35a49669
SHA1 9b2d4653f5aa38a9fc64e0eca19268e4da547b79
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
SHA512 e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9

memory/4660-196-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4660-198-0x0000000000400000-0x000000000041B000-memory.dmp