Malware Analysis Report

2024-11-16 12:20

Sample ID 240415-qb3k8afa76
Target Order RFQ-HL51L05.exe
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a

Threat Level: Known bad

The file Order RFQ-HL51L05.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 13:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 13:06

Reported

2024-04-15 13:08

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1048 set thread context of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Network

N/A

Files

memory/1048-0-0x0000000000CE0000-0x0000000000DAC000-memory.dmp

memory/1048-1-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/1048-2-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/1048-3-0x0000000000500000-0x0000000000512000-memory.dmp

memory/1048-4-0x00000000006C0000-0x00000000006C8000-memory.dmp

memory/1048-5-0x00000000006D0000-0x00000000006DC000-memory.dmp

memory/1048-6-0x0000000005400000-0x000000000548C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp474D.tmp

MD5 c67fcdb99414743a2ca75390d77e1b41
SHA1 65ff995423ae339caf019b4fc76096b3792c33af
SHA256 caac795d42a3b0aa70068ae616398caf3843335b32be546765ffd00002e43d19
SHA512 a47862e7f26f1978bd880e2617b5f65c2ce30855dee96c2298acbe0c68065f29a89437f7eb52c9ed7447370232ddb4c4fdfedeebfc634d067c041b2e6830317a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N1PRIGK1RTT9D32F1W8Y.temp

MD5 10e7a9e7ca18955d9587249041722fff
SHA1 5b66908bbf8b759415aa3767a94b649a6a3c2812
SHA256 0f3f7d7dca0b8852272f8d73a39e83ee791de5382cd34c9d0f93120c0deb7659
SHA512 0b6a65891ab0e05595bbcde3eed9bebaf31af6b2c47127b1819f7070c87c47ff1006827fc0fd2a9a56443a100704bafd30592b9ea5c0bea1708b9f6d95d0e45a

memory/2452-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2452-35-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-36-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-37-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1048-39-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/3052-46-0x000000006DC00000-0x000000006E1AB000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 a0c0e84db827383b99061a9c63cdca37
SHA1 09a1f270ddf56adb327587937234b748852fc550
SHA256 3f80ba175c872e265297b2b8e42fe6dd820d94f9015205805e57772f5d2df6ed
SHA512 939904f543915435cda9948f3d00ccb61d4bae9994c5f7cab04c13d35203409fbf26ca4edb92c99ecc8bb5d3e056d72e131733a0459ef7e88b6c186ef3daf7b7

memory/2576-49-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/2576-48-0x000000006DC00000-0x000000006E1AB000-memory.dmp

memory/3052-50-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2576-51-0x000000006DC00000-0x000000006E1AB000-memory.dmp

memory/3052-52-0x000000006DC00000-0x000000006E1AB000-memory.dmp

memory/2576-53-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/3052-54-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2576-55-0x0000000002CC0000-0x0000000002D00000-memory.dmp

memory/3052-57-0x0000000002D00000-0x0000000002D40000-memory.dmp

memory/2452-56-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-59-0x000000006DC00000-0x000000006E1AB000-memory.dmp

memory/3052-58-0x000000006DC00000-0x000000006E1AB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/2452-134-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 13:06

Reported

2024-04-15 13:08

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1328 set thread context of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 1328 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.244.122.92.in-addr.arpa udp

Files

memory/1328-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1328-0-0x00000000008E0000-0x00000000009AC000-memory.dmp

memory/1328-2-0x00000000058A0000-0x0000000005E44000-memory.dmp

memory/1328-3-0x0000000005390000-0x0000000005422000-memory.dmp

memory/1328-4-0x0000000005330000-0x0000000005340000-memory.dmp

memory/1328-5-0x0000000005370000-0x000000000537A000-memory.dmp

memory/1328-6-0x0000000005890000-0x00000000058A2000-memory.dmp

memory/1328-7-0x0000000006750000-0x0000000006758000-memory.dmp

memory/1328-8-0x0000000006760000-0x000000000676C000-memory.dmp

memory/1328-9-0x0000000006790000-0x000000000681C000-memory.dmp

memory/1328-10-0x000000000A2F0000-0x000000000A38C000-memory.dmp

memory/4528-15-0x0000000002B10000-0x0000000002B46000-memory.dmp

memory/4528-16-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4856-18-0x00000000021B0000-0x00000000021C0000-memory.dmp

memory/4528-17-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4856-20-0x00000000021B0000-0x00000000021C0000-memory.dmp

memory/4528-19-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/4528-21-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4856-22-0x0000000074E20000-0x00000000755D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp

MD5 0f872ec31b036d1414a02404084425e3
SHA1 5285102e5df13826d3d8d370c0e78ceed4063993
SHA256 d28b8f467fb282abcc021335144d9f5a46163282226ca83f76feb2b25da54d6f
SHA512 1852c4c4705059f16c5a9f94d8b332ce7780f6d4ffa6e35fc7af914019a95a42cea95a91bc4c03c52b58601f1123cc6eda47670f598cd9388848df1c633faa4d

memory/4856-25-0x0000000005300000-0x0000000005366000-memory.dmp

memory/4528-24-0x0000000005540000-0x0000000005562000-memory.dmp

memory/4856-26-0x0000000005560000-0x00000000055C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twwfi3ei.xmc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1228-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1228-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1228-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4856-47-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/1328-52-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1228-51-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\Order RFQ-HL51L05.exe

MD5 5126bc679b773544dd3f0e3acda00766
SHA1 9d249c48b5c4a49bd9332fa78537e82144a4b556
SHA256 615aac452ae57ce28563caac8f6c714d3ae288b184ea4c516df0a2187225b472
SHA512 4e0d3fe57bb40cd3f0c0e86ad5377365fb96f65787a05eca89ae92eb89bdf396344936a4879eca2928c55dfd546c99a452c5cd624ae9edc84840e7f5dc361d40

memory/4528-59-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4856-63-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

memory/4856-64-0x000000007F020000-0x000000007F030000-memory.dmp

memory/4856-65-0x0000000006B60000-0x0000000006B92000-memory.dmp

memory/4528-78-0x00000000069E0000-0x00000000069FE000-memory.dmp

memory/4528-68-0x000000007F170000-0x000000007F180000-memory.dmp

memory/4528-79-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4856-91-0x00000000021B0000-0x00000000021C0000-memory.dmp

memory/4856-90-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/4856-89-0x00000000021B0000-0x00000000021C0000-memory.dmp

memory/4856-67-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4528-66-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

memory/4856-92-0x0000000007520000-0x0000000007B9A000-memory.dmp

memory/4856-93-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

memory/4528-95-0x00000000077E0000-0x00000000077EA000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 54f7f2bed41d28f265fbbcc19b6b15a8
SHA1 98aeca3e0dfc62ba4953d3c971caae7c3d28483d
SHA256 b983a215d334d93b80b551b272d0a09bea595eaae340efa5bae28d2a381c25ab
SHA512 be82df7a019e05a5d2da55bda1c4ab83ed7d88f72a273f721c01f0bd0b62adb3d28f07376043145158f4c75fb7aa45ebebb6bfe5f4a534f1e4767a6f86b8a118

memory/4856-109-0x0000000007160000-0x00000000071F6000-memory.dmp

memory/4856-110-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/4528-124-0x00000000079A0000-0x00000000079AE000-memory.dmp

memory/4856-133-0x0000000007120000-0x0000000007134000-memory.dmp

memory/4528-142-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

memory/4528-155-0x0000000007A90000-0x0000000007A98000-memory.dmp

memory/4856-179-0x0000000074E20000-0x00000000755D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2c3beff7e2bcfbe8cc4441d0ec44235b
SHA1 b68a2188c93115f11f4439a0ad9cb7b90557d2f5
SHA256 06380b7128cd1486293054168caf3fd3153f76d1fa693d51ff9b1f7788f99253
SHA512 15334fa065a36c8ca075754d98a2022b6ffc0dc749e7aeb7bd3070dbad5414a03017b5c14fc17d7eeb14771d95b4f324366a27c31f08815bdeecbd66a6d7ee1d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4528-183-0x0000000074E20000-0x00000000755D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/1228-196-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1228-198-0x0000000000400000-0x000000000041B000-memory.dmp