Malware Analysis Report

2024-11-16 12:20

Sample ID 240415-qbngasfa66
Target Order RFQ-HL51L05.exe
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a

Threat Level: Known bad

The file Order RFQ-HL51L05.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 13:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 13:05

Reported

2024-04-15 13:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 856 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBEFB.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Network

N/A

Files

memory/856-0-0x0000000000060000-0x000000000012C000-memory.dmp

memory/856-1-0x0000000074050000-0x000000007473E000-memory.dmp

memory/856-2-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

memory/856-3-0x0000000001D70000-0x0000000001D82000-memory.dmp

memory/856-4-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/856-5-0x0000000001E60000-0x0000000001E6C000-memory.dmp

memory/856-6-0x0000000005200000-0x000000000528C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBEFB.tmp

MD5 44544ea903fa0c0bc5c2f5833791f7d2
SHA1 c0dc9a5b275a109f15b971cc1aa09ad7484a0122
SHA256 a295f868fe444e19baacf949b792d142d19214c5c1df5aa17390ee379aa3ae78
SHA512 39667d90ecab1627d8b6f3f2d874a3188a704203f1f12ce45f0281ae691bccfa9d51c27c8108435b109739b87f2db711f004e2564391ede1c52d8382d804a5cf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 131d825a3484e335ce1231b002a4d098
SHA1 977d390ae064975c3a1dc06dbbef347a0fc3d4d2
SHA256 5d8469e0917345542db318da9f568cdf95cf8664aa21838fae0c244145c2b013
SHA512 0223b943817f534d847a55e438064f5f682a6d664ed6d9dd66826d377e279145916c30db958d31970c01a2bc6e941911c662e5c185f3e3f196cb5e1311b4efa1

memory/2724-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-30-0x0000000074050000-0x000000007473E000-memory.dmp

memory/2984-36-0x000000006EDE0000-0x000000006F38B000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 a0c0e84db827383b99061a9c63cdca37
SHA1 09a1f270ddf56adb327587937234b748852fc550
SHA256 3f80ba175c872e265297b2b8e42fe6dd820d94f9015205805e57772f5d2df6ed
SHA512 939904f543915435cda9948f3d00ccb61d4bae9994c5f7cab04c13d35203409fbf26ca4edb92c99ecc8bb5d3e056d72e131733a0459ef7e88b6c186ef3daf7b7

memory/2636-39-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2984-42-0x0000000002440000-0x0000000002480000-memory.dmp

memory/2636-43-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2984-44-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2636-45-0x0000000002550000-0x0000000002590000-memory.dmp

memory/2636-46-0x0000000002550000-0x0000000002590000-memory.dmp

memory/2984-47-0x0000000002440000-0x0000000002480000-memory.dmp

memory/2636-49-0x0000000002550000-0x0000000002590000-memory.dmp

memory/2724-48-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2636-51-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2984-50-0x000000006EDE0000-0x000000006F38B000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/2724-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-127-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 13:05

Reported

2024-04-15 13:08

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe
PID 2412 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AB0.tmp"

C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe

"C:\Users\Admin\AppData\Local\Temp\Order RFQ-HL51L05.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 51.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 35.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/2412-0-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/2412-1-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2412-2-0x00000000051E0000-0x0000000005784000-memory.dmp

memory/2412-3-0x0000000004B50000-0x0000000004BE2000-memory.dmp

memory/2412-4-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/2412-5-0x0000000004B10000-0x0000000004B1A000-memory.dmp

memory/2412-6-0x00000000075B0000-0x00000000075C2000-memory.dmp

memory/2412-7-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/2412-8-0x00000000075E0000-0x00000000075EC000-memory.dmp

memory/2412-9-0x00000000076B0000-0x000000000773C000-memory.dmp

memory/2412-10-0x0000000009E30000-0x0000000009ECC000-memory.dmp

memory/4636-11-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/2412-14-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4636-15-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4636-16-0x0000000005100000-0x0000000005136000-memory.dmp

memory/2412-18-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/3672-20-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3672-21-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/3672-22-0x00000000054F0000-0x0000000005B18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4AB0.tmp

MD5 4d35767f067eb25ea47abff7ac599974
SHA1 dd2a4ce6a09ef38b340c6fb8e6d531cdd5b5fc36
SHA256 322cde304a41e10d240aadf30e5e6291f75ee74e644e664b8060b563d0223d35
SHA512 6e429a844384362cb0834e9570da13047d661d26a356ecfdcd1f9c8f2fe6fee31d015af6c07f35b69405d5ae4622f9fa7941a085ca530f8cab31b4e541d77f06

memory/4384-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4384-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4384-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4384-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3672-29-0x00000000053B0000-0x00000000053D2000-memory.dmp

memory/3672-31-0x0000000005450000-0x00000000054B6000-memory.dmp

memory/4636-32-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/2412-33-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teuhpdok.y5g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\3582-490\Order RFQ-HL51L05.exe

MD5 5126bc679b773544dd3f0e3acda00766
SHA1 9d249c48b5c4a49bd9332fa78537e82144a4b556
SHA256 615aac452ae57ce28563caac8f6c714d3ae288b184ea4c516df0a2187225b472
SHA512 4e0d3fe57bb40cd3f0c0e86ad5377365fb96f65787a05eca89ae92eb89bdf396344936a4879eca2928c55dfd546c99a452c5cd624ae9edc84840e7f5dc361d40

memory/4636-50-0x00000000060A0000-0x00000000063F4000-memory.dmp

C:\odt\OFFICE~1.EXE

MD5 61c8b0aa6ef76e89ab144a3acb2abfdb
SHA1 1767e6211435daf95cf0cfa0d59b546bc706016c
SHA256 c3ca8c9221118f3e62d7f17f2921180c031131ebbb4f041abc9d4f369206a338
SHA512 7bdf31eedbe570db239c71c4c80597213d6d76eb47c0d8f7fe35dc20fa75a2b93765c4f303d3fe0435628cd9d18899885d24b833623ff4ad3024b0be54b00d28

memory/4636-63-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/3672-64-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/4636-65-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/3672-66-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/4636-69-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4636-81-0x000000007F200000-0x000000007F210000-memory.dmp

memory/3672-68-0x00000000706C0000-0x000000007070C000-memory.dmp

memory/4636-67-0x00000000076A0000-0x00000000076D2000-memory.dmp

memory/4636-80-0x00000000706C0000-0x000000007070C000-memory.dmp

memory/3672-79-0x0000000006940000-0x000000000695E000-memory.dmp

memory/3672-91-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

memory/4636-92-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/3672-93-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/4636-94-0x00000000079F0000-0x0000000007A0A000-memory.dmp

memory/4636-95-0x0000000007A60000-0x0000000007A6A000-memory.dmp

memory/4636-96-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/3672-97-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/4636-98-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/4636-102-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/3672-109-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/4636-113-0x0000000007D30000-0x0000000007D38000-memory.dmp

memory/4636-116-0x00000000052A0000-0x00000000052B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cf254bfcc2c2af06ba661a5ddf908eee
SHA1 510dc4a12ff40b83bde045ec3be7431e4f9c8bb4
SHA256 c5439e6d9028a8f85dfc87883a78a1370d404769ea3c4677f639db572b4fad15
SHA512 8739a1253f96c907b2243a855431a8c6602f0a911b69c12807fd4965817cda8b9a980e6adc025a05fcdb192a54fc16029fe8fbcd9f51a3bbe94e886dbb4bbb0e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3672-122-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4636-123-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4384-204-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f