Malware Analysis Report

2024-11-16 12:21

Sample ID 240414-bz35bsfh7s
Target a67944e6f26b44910a85a2d9c3fbc7ee75968123246f2718d359c533d98edc2d.zip
SHA256 a67944e6f26b44910a85a2d9c3fbc7ee75968123246f2718d359c533d98edc2d
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a67944e6f26b44910a85a2d9c3fbc7ee75968123246f2718d359c533d98edc2d

Threat Level: Known bad

The file a67944e6f26b44910a85a2d9c3fbc7ee75968123246f2718d359c533d98edc2d.zip was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Detect Neshta payload

Detects executables packed with SmartAssembly

Checks computer location settings

Reads user/profile data of web browsers

Modifies system executable filetype association

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 01:35

Reported

2024-04-14 01:38

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 2276 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmp"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Network

N/A

Files

memory/2276-1-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2276-0-0x0000000000840000-0x0000000000912000-memory.dmp

memory/2276-2-0x0000000000A40000-0x0000000000A80000-memory.dmp

memory/2276-3-0x0000000000750000-0x000000000076C000-memory.dmp

memory/2276-4-0x0000000000530000-0x0000000000538000-memory.dmp

memory/2276-5-0x0000000000920000-0x000000000092C000-memory.dmp

memory/2276-6-0x000000000D0C0000-0x000000000D14C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp37A4.tmp

MD5 1081b43d72aacd2beaeed30d9d223006
SHA1 c7f19bc0d76022c077dfa8d5e2b2c56cf9dbe43b
SHA256 4312e62e57158d775aafc7fb9466352388e5574bb0f93c4bdbdaec79595c7ea9
SHA512 990ad251a38bd616b7f177d8d14aae936a1e590d0bf0093bc4e5d3b7b8480f81f113ce4d05f671b5f542331a748c48d9a31157c2ee6de23aa6bc84b98978eb55

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 fcd844fb44d0d9bdc7cd6958afb3ce10
SHA1 74b55dd3e43bb06dc5cad24a74650b8e314a1b4e
SHA256 370be234809947bb1ce6660fc7a882ca8fd90678a14a63a1df70f7f056b575eb
SHA512 71d26ba21efe23ab582971cecbc02ccc1b8a2331a87532744b4a283530ed61fe642567577f9a0a5f468799cfd4edc2298f57a0ee600f6bfdc684dcb69603bdf5

memory/2440-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2440-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2276-32-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2440-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2440-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2532-33-0x000000006EB00000-0x000000006F0AB000-memory.dmp

memory/2568-35-0x000000006EB00000-0x000000006F0AB000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 e33fd58013493b59b3dfddb983a37927
SHA1 887015c06a5ae1d10d890bceeb6c1f9a95e27a72
SHA256 a63ed28f75de225b0ec2020c253f9cb397a7282812d6aa6bb9d47d8dc4548b39
SHA512 5e25bdf22997367c828454eda5f3f4a51c11f8c7fd5c26cbe00d8a339652df9c48fb8bfec2754977ffa82e55dd1de1421765d88c06617cc9360e92332f052371

memory/2568-38-0x0000000002C70000-0x0000000002CB0000-memory.dmp

memory/2568-43-0x000000006EB00000-0x000000006F0AB000-memory.dmp

memory/2568-46-0x0000000002C70000-0x0000000002CB0000-memory.dmp

memory/2440-48-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2532-47-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

memory/2568-45-0x0000000002C70000-0x0000000002CB0000-memory.dmp

memory/2532-44-0x000000006EB00000-0x000000006F0AB000-memory.dmp

memory/2568-50-0x000000006EB00000-0x000000006F0AB000-memory.dmp

memory/2532-49-0x000000006EB00000-0x000000006F0AB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QxvrCwK.exe

MD5 77fceb05a851e129ceac74ad35a49669
SHA1 9b2d4653f5aa38a9fc64e0eca19268e4da547b79
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
SHA512 e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9

memory/2440-125-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 01:35

Reported

2024-04-14 01:38

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe
PID 3908 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxvrCwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxvrCwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D81.tmp"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe

"C:\Users\Admin\AppData\Local\Temp\PO No. 44 Master Group Trading & Contracting.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3908-0-0x0000000000C80000-0x0000000000D52000-memory.dmp

memory/3908-1-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/3908-2-0x0000000005D80000-0x0000000006324000-memory.dmp

memory/3908-3-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/3908-4-0x0000000005960000-0x0000000005970000-memory.dmp

memory/3908-5-0x00000000057B0000-0x00000000057BA000-memory.dmp

memory/3908-6-0x0000000005D60000-0x0000000005D7C000-memory.dmp

memory/3908-7-0x0000000006C40000-0x0000000006C48000-memory.dmp

memory/3908-8-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

memory/3908-9-0x00000000085F0000-0x000000000867C000-memory.dmp

memory/3908-10-0x0000000009820000-0x00000000098BC000-memory.dmp

memory/1840-15-0x00000000049A0000-0x00000000049D6000-memory.dmp

memory/1840-17-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1840-18-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1840-19-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1840-16-0x00000000050C0000-0x00000000056E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5D81.tmp

MD5 88cb34421592783ee805142016e313fa
SHA1 5a8b088656a6aa19899e00b966307227ad31d51c
SHA256 d0f2fc37f8fb2d936def5494302c91f299f0fd679d4b1c1a88a97bd0233351ed
SHA512 6be106298f4931af3a9ecad50d4275ecd35e11399bee88e09fcbef8f0d380dc47ee74933ceb7676d5f1b2475702169c6b3abf9491ee5c377f2c98834ad344d25

memory/2244-22-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/2244-21-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2244-23-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/1840-24-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gaxntdt.ix4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4672-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4672-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4672-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3908-52-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/1840-51-0x0000000005AF0000-0x0000000005E44000-memory.dmp

memory/4672-50-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2244-42-0x0000000006100000-0x0000000006166000-memory.dmp

memory/2244-31-0x0000000006020000-0x0000000006086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\PO No. 44 Master Group Trading & Contracting.exe

MD5 57886e3196900b7df0c72dd68d70064f
SHA1 2d74b0bdd34615f885e53db417368725ea21a2b0
SHA256 42307edb22a10f3de80cae4df709339e53ac4defc20a40dbfe773741ddbc80ba
SHA512 86c0ee4a2caf3b59916a6398e6d36215b457b05d3720e84fc5f3e47a642ade87705f038c0bf9c4823860ecfe54b4de2f21dcc096b8b01592b15670e00c5d6e60

memory/1840-62-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/2244-63-0x0000000006750000-0x000000000679C000-memory.dmp

memory/1840-66-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2244-67-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

memory/2244-69-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/2244-68-0x0000000006CD0000-0x0000000006D02000-memory.dmp

memory/2244-79-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

memory/2244-80-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/2244-81-0x00000000078F0000-0x0000000007993000-memory.dmp

memory/2244-83-0x0000000007A40000-0x0000000007A5A000-memory.dmp

memory/2244-82-0x0000000008080000-0x00000000086FA000-memory.dmp

memory/2244-84-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 c0a853ba43630ec944ad3fdf2e6f3723
SHA1 497e73b82bff3625116e8f4050dd945ca48ceed0
SHA256 057bcd8e6fbb7cd75d6a55509743e1254bfbc773f745c77bfbe65726d2873855
SHA512 59e6d3801e78b0f6f7c7a384d3bd209124bd0a289a567108253fdec2b772df604f8921e63ca4510d6c02c575b4f2491aaea18b5c787a91f1f03f678398d4fef9

memory/2244-99-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/2244-100-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/2244-122-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/2244-127-0x0000000007C80000-0x0000000007C94000-memory.dmp

memory/2244-135-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/2244-140-0x0000000007D60000-0x0000000007D68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d149c35966223e0a2dc91d4b847d6ffd
SHA1 ae167896f5e953d6151fb6adcf64dd2ff046d1dc
SHA256 c0feb853e09e51e0aea29f513bb17bf19bd2cb81e1d9d37bc7f982a5ed058f65
SHA512 88297ac448913b86a64f2f5e947e38671d5db869f007165d9b9b31543c7e00b41102dbec04af343c2018daa00ac856900dac37b49a4fa8aa796310affc748f10

memory/2244-166-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\QxvrCwK.exe

MD5 77fceb05a851e129ceac74ad35a49669
SHA1 9b2d4653f5aa38a9fc64e0eca19268e4da547b79
SHA256 dafe6d74868c243d4f818aab7c3f8d5d95b7d69aa1492e34e1e38d80d15e1532
SHA512 e818dce4d5f7f323148dea9a0dea3e77f8bfdc2e3010735fd97d45e8a69ee3c1f2b658f142bd47e3ca2833307486555a6464f39a0e3169b8294c0d540a9df4f9

memory/4672-183-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4672-185-0x0000000000400000-0x000000000041B000-memory.dmp