Malware Analysis Report

2024-11-16 12:20

Sample ID 240416-bnp4bsfe3t
Target 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a

Threat Level: Known bad

The file 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Detects executables packed with SmartAssembly

Modifies system executable filetype association

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 01:17

Reported

2024-04-16 01:20

Platform

win10v2004-20240412-en

Max time kernel

107s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 3300 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC23.tmp"

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3300-0-0x0000000000DB0000-0x0000000000E7C000-memory.dmp

memory/3300-1-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/3300-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/3300-3-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/3300-4-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/3300-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

memory/3300-6-0x0000000005E80000-0x0000000005E92000-memory.dmp

memory/3300-7-0x0000000005EA0000-0x0000000005EA8000-memory.dmp

memory/3300-8-0x0000000005EB0000-0x0000000005EBC000-memory.dmp

memory/3300-9-0x0000000006C30000-0x0000000006CBC000-memory.dmp

memory/3300-10-0x000000000A850000-0x000000000A8EC000-memory.dmp

memory/5000-15-0x0000000005260000-0x0000000005296000-memory.dmp

memory/5000-16-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/5000-19-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/5000-18-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/5000-17-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/5000-20-0x0000000005F70000-0x0000000005F92000-memory.dmp

memory/3660-21-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFC23.tmp

MD5 e4572bc5ff29b534c33096bc0b59d2d8
SHA1 2a8e2d6159c9b901883d1155f0daff9388a45291
SHA256 dc93b65345c4a3ce81f7038655950e60275dd185cd0fcc369897cca55bbafca9
SHA512 b60bf9fb16eef2598094b7f372dcb6e96df272897e9412b5dc4a803eac7e3415ccc84345ca616322b8f0874c2cf936cfdcc52966ace79c8f83bd9b550cd7d0b8

memory/3660-29-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3660-35-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/3660-34-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5j3der0c.txw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3660-23-0x0000000005DC0000-0x0000000005E26000-memory.dmp

memory/3296-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3296-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3296-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3660-47-0x0000000006040000-0x0000000006394000-memory.dmp

memory/3296-51-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3300-52-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/3660-53-0x0000000006010000-0x000000000602E000-memory.dmp

memory/3660-54-0x0000000006770000-0x00000000067BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

MD5 5126bc679b773544dd3f0e3acda00766
SHA1 9d249c48b5c4a49bd9332fa78537e82144a4b556
SHA256 615aac452ae57ce28563caac8f6c714d3ae288b184ea4c516df0a2187225b472
SHA512 4e0d3fe57bb40cd3f0c0e86ad5377365fb96f65787a05eca89ae92eb89bdf396344936a4879eca2928c55dfd546c99a452c5cd624ae9edc84840e7f5dc361d40

memory/3660-64-0x0000000007410000-0x0000000007442000-memory.dmp

memory/3660-65-0x000000007F1D0000-0x000000007F1E0000-memory.dmp

memory/3660-66-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3660-77-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3660-76-0x0000000006A10000-0x0000000006A2E000-memory.dmp

memory/3660-78-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/5000-79-0x0000000070700000-0x000000007074C000-memory.dmp

memory/5000-89-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/5000-90-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/3660-91-0x0000000007DE0000-0x000000000845A000-memory.dmp

memory/3660-92-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/3660-93-0x0000000007810000-0x000000000781A000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 54f7f2bed41d28f265fbbcc19b6b15a8
SHA1 98aeca3e0dfc62ba4953d3c971caae7c3d28483d
SHA256 b983a215d334d93b80b551b272d0a09bea595eaae340efa5bae28d2a381c25ab
SHA512 be82df7a019e05a5d2da55bda1c4ab83ed7d88f72a273f721c01f0bd0b62adb3d28f07376043145158f4c75fb7aa45ebebb6bfe5f4a534f1e4767a6f86b8a118

memory/3660-108-0x0000000007A20000-0x0000000007AB6000-memory.dmp

memory/3660-109-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/3660-131-0x00000000079D0000-0x00000000079DE000-memory.dmp

memory/3660-143-0x00000000079E0000-0x00000000079F4000-memory.dmp

memory/5000-154-0x0000000007E60000-0x0000000007E7A000-memory.dmp

memory/3660-160-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

memory/5000-181-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3660-182-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 543fa0ef50380028d9e3153e05e307c6
SHA1 9921c07032c6a1b311d652290dc33b0bb312b361
SHA256 b2dd50f031a03399d217a08959883b8131e7a4a76b796430a2b4159810e3f469
SHA512 c93393433822794fbd744f77214b8ee5b01c6d9dc0ba89e2098dcbeed463c6dd3c93dcac189167f227245b96c6b5215fe40a218cddfc27e44f14d91439340bbe

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/3296-195-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3296-197-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 01:17

Reported

2024-04-16 01:20

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
PID 1728 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50A0.tmp"

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"

Network

N/A

Files

memory/1728-1-0x0000000074CD0000-0x00000000753BE000-memory.dmp

memory/1728-0-0x0000000001260000-0x000000000132C000-memory.dmp

memory/1728-2-0x0000000005140000-0x0000000005180000-memory.dmp

memory/1728-3-0x0000000000630000-0x0000000000642000-memory.dmp

memory/1728-4-0x0000000000760000-0x0000000000768000-memory.dmp

memory/1728-5-0x0000000000770000-0x000000000077C000-memory.dmp

memory/1728-6-0x0000000005DF0000-0x0000000005E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50A0.tmp

MD5 2cd2bddd908d9015f7b416cf42a882ce
SHA1 4c96755cd92c97f7ec1a198e5d7ab1155dd846a3
SHA256 7cedcf97948dab71755edb94e171763cbd41310a55750dc8d687f78a006a7818
SHA512 183f01bbc45e4cb98f6fd265ed3887cd2c11d1085dda0a9cc4fa88bba885d5a691cb18e5dd97e12ab7006bdb977f21fb4b99f00c6bef189c91ab02a604367221

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3b59deb0ac228efad8f26efb5fbdf8e3
SHA1 aa2e63153e8bbca145187d7988db8b2ac5c5122f
SHA256 bb32e23b4592c3182c748c662d6140b5c1cb304d1986b1b2df960e7f0438c084
SHA512 a0f371c8be78d6147ec150aff07747cb81fa2f9030f6a7d8639294067764453d93e2752732918d742d9cc0c4fdf61ca741c5bc376bd4442ed2b02a73cce46c2b

memory/2540-20-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2568-22-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2540-24-0x0000000002E60000-0x0000000002EA0000-memory.dmp

memory/2568-26-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2540-33-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2568-36-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/2568-35-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2384-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-31-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/2540-29-0x0000000002E60000-0x0000000002EA0000-memory.dmp

memory/2540-28-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2384-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-41-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-39-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-37-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-47-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1728-50-0x0000000074CD0000-0x00000000753BE000-memory.dmp

memory/2384-49-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 a0c0e84db827383b99061a9c63cdca37
SHA1 09a1f270ddf56adb327587937234b748852fc550
SHA256 3f80ba175c872e265297b2b8e42fe6dd820d94f9015205805e57772f5d2df6ed
SHA512 939904f543915435cda9948f3d00ccb61d4bae9994c5f7cab04c13d35203409fbf26ca4edb92c99ecc8bb5d3e056d72e131733a0459ef7e88b6c186ef3daf7b7

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE

MD5 a40f32931f347c2a295c3169a0d90049
SHA1 ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256 849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512 f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

memory/2384-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-133-0x0000000002C00000-0x0000000002C40000-memory.dmp