Malware Analysis Report

2024-11-16 12:22

Sample ID 240415-qb3afshc9t
Target Order RFQ-HL51L05.exe
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a

Threat Level: Known bad

The file Order RFQ-HL51L05.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Detect Neshta payload

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 13:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 13:06

Reported

2024-04-15 13:08

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3997.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Network

N/A

Files

memory/2412-0-0x0000000000080000-0x000000000014C000-memory.dmp

memory/2412-1-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2412-2-0x00000000048D0000-0x0000000004910000-memory.dmp

memory/2412-3-0x0000000000560000-0x0000000000572000-memory.dmp

memory/2412-4-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2412-5-0x00000000008F0000-0x00000000008FC000-memory.dmp

memory/2412-6-0x0000000005070000-0x00000000050FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3997.tmp

MD5 41d7eec651dc9a6a79ced629f47e9e03
SHA1 7f5151578b7e18654c337704e49aa1671b927e3b
SHA256 8efda22dce0fd61ab35bf2bb85d80cc81f7851eb6978ce2f502a7dad4f98d9a3
SHA512 b508853cece6ce8715eba72da58fc37b866de6a0e2b10965973f4f25729291fcbee58f8361f37f1ab1c4b5f48b12ade5d5a79477314f88c9b13c8ec361caac85

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07G6QWRALLQUFSMUC0PC.temp

MD5 b448de198240f8830cf2697b06e52649
SHA1 bd9b684ffbc54c1a59ca7a6c7a35f18e21262bb0
SHA256 0e19f28dd61e9185015f32dd73ec727520824f0818a65ab5ef7b7cdb97565720
SHA512 b6eb19a2c9c721a6a1110c23970863490628ee8fd52cdc91bbf98344cc9b2b519b9301e8f1501550036a420bc86a71c6285a808f3ce19da81a3f19bdf983836f

memory/2624-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2624-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2624-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2412-32-0x0000000074840000-0x0000000074F2E000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 a0c0e84db827383b99061a9c63cdca37
SHA1 09a1f270ddf56adb327587937234b748852fc550
SHA256 3f80ba175c872e265297b2b8e42fe6dd820d94f9015205805e57772f5d2df6ed
SHA512 939904f543915435cda9948f3d00ccb61d4bae9994c5f7cab04c13d35203409fbf26ca4edb92c99ecc8bb5d3e056d72e131733a0459ef7e88b6c186ef3daf7b7

memory/2700-40-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/3064-41-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/2700-42-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/3064-43-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2700-44-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/3064-45-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/2700-46-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/3064-47-0x0000000002800000-0x0000000002840000-memory.dmp

memory/3064-48-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2624-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2700-51-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/3064-50-0x000000006F630000-0x000000006FBDB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/2624-126-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 13:06

Reported

2024-04-15 13:08

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1188 set thread context of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1188 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5832.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.244.122.92.in-addr.arpa udp

Files

memory/1188-0-0x0000000000390000-0x000000000045C000-memory.dmp

memory/1188-1-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/1188-2-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/1188-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/1188-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/1188-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp

memory/1188-6-0x00000000053B0000-0x00000000053C2000-memory.dmp

memory/1188-7-0x00000000062E0000-0x00000000062E8000-memory.dmp

memory/1188-8-0x00000000062F0000-0x00000000062FC000-memory.dmp

memory/1188-9-0x00000000063C0000-0x000000000644C000-memory.dmp

memory/1188-10-0x0000000009E00000-0x0000000009E9C000-memory.dmp

memory/4276-15-0x0000000004C70000-0x0000000004CA6000-memory.dmp

memory/4276-17-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/4276-18-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1320-20-0x0000000005020000-0x0000000005030000-memory.dmp

memory/4276-16-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/1320-19-0x0000000005020000-0x0000000005030000-memory.dmp

memory/4276-21-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5832.tmp

MD5 f3bf4a18992cab2b9e02d535c49db1c3
SHA1 34b864514fe104f29bc80608dd77540cf7563d56
SHA256 7a241fb95c3cab320048dbb5459403290b7a9d83934ffed4378f47196bf10a80
SHA512 dc3bb16f960014eb0dd86c6d24156f3b89e8e9b226d14b0a4e9f6aa68f025bd01f01871b77a1bf5a7012c363359e57e09024b2455a4eda34324c2229f19b000e

memory/1320-23-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/4276-24-0x0000000005150000-0x0000000005172000-memory.dmp

memory/4276-26-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/1320-25-0x0000000005C90000-0x0000000005CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zelh3p4r.kvc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4276-45-0x0000000005C20000-0x0000000005F74000-memory.dmp

memory/4016-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4016-47-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4016-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1188-50-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/4016-52-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\Order RFQ-HL51L05.exe

MD5 5126bc679b773544dd3f0e3acda00766
SHA1 9d249c48b5c4a49bd9332fa78537e82144a4b556
SHA256 615aac452ae57ce28563caac8f6c714d3ae288b184ea4c516df0a2187225b472
SHA512 4e0d3fe57bb40cd3f0c0e86ad5377365fb96f65787a05eca89ae92eb89bdf396344936a4879eca2928c55dfd546c99a452c5cd624ae9edc84840e7f5dc361d40

memory/4276-62-0x0000000006220000-0x000000000623E000-memory.dmp

memory/4276-63-0x0000000006310000-0x000000000635C000-memory.dmp

memory/4276-64-0x000000007F0B0000-0x000000007F0C0000-memory.dmp

memory/4276-66-0x00000000709D0000-0x0000000070A1C000-memory.dmp

memory/4276-76-0x0000000007200000-0x000000000721E000-memory.dmp

memory/4276-65-0x00000000071C0000-0x00000000071F2000-memory.dmp

memory/4276-80-0x0000000007220000-0x00000000072C3000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 54f7f2bed41d28f265fbbcc19b6b15a8
SHA1 98aeca3e0dfc62ba4953d3c971caae7c3d28483d
SHA256 b983a215d334d93b80b551b272d0a09bea595eaae340efa5bae28d2a381c25ab
SHA512 be82df7a019e05a5d2da55bda1c4ab83ed7d88f72a273f721c01f0bd0b62adb3d28f07376043145158f4c75fb7aa45ebebb6bfe5f4a534f1e4767a6f86b8a118

memory/4276-78-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1320-95-0x00000000709D0000-0x0000000070A1C000-memory.dmp

memory/1320-94-0x000000007F940000-0x000000007F950000-memory.dmp

memory/4276-77-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1320-105-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1320-106-0x0000000005020000-0x0000000005030000-memory.dmp

memory/1320-107-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/1320-108-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/1320-122-0x0000000007910000-0x000000000791A000-memory.dmp

memory/1320-152-0x0000000007B20000-0x0000000007BB6000-memory.dmp

memory/1320-158-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/1320-172-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

memory/1320-175-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/1320-176-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/1320-177-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef9c3bab0aca30051e5b3d06bf13bcb7
SHA1 5de4c57dbaf628126713f5a544b90c97b117cb02
SHA256 38b5b23aba6484931fcdee69eac5af05219cc00aafa8efbcbd2ed33d6a524b7b
SHA512 90443744c5d6d5b9430123b17087f8c8f72c89092e0a8699adc1f1559bc74997dbfad8245fa9f27ff41d3b1fb4eac574053840a466a0c19c69bf9ba990f2088c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1320-195-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/4276-196-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/4016-197-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4016-199-0x0000000000400000-0x000000000041B000-memory.dmp