Malware Analysis Report

2024-11-16 12:20

Sample ID 240416-bshj2sff41
Target aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
SHA256 aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109

Threat Level: Known bad

The file aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Detects executables packed with SmartAssembly

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 01:24

Reported

2024-04-16 01:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 2216 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iZwbTl.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iZwbTl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D44.tmp"

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

Network

N/A

Files

memory/2216-0-0x00000000010D0000-0x000000000119C000-memory.dmp

memory/2216-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2216-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2216-3-0x0000000000340000-0x0000000000352000-memory.dmp

memory/2216-4-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2216-5-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/2216-6-0x0000000004E20000-0x0000000004EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6D44.tmp

MD5 4e3f3cb57e06c3061a5840666f7c0404
SHA1 59f1e3efb6f0f9a7db6368bffc086b038f7e968e
SHA256 6e22d3d42df6f27aa5d5b87b813db0615ba5c6eac4beb67c5b147cbe064e25a7
SHA512 6f5273af29c0d58bab9a8ec29508086f2fd8362dd710c4aa10c2ee8ed3cade609fe3ae08f5526bc7fe7d32d918b66ebebf985c47c2ec14e4f0ff3e94bbec4346

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D4VGQAGRLA657Q7ROXGP.temp

MD5 343ba2159f6ff824eefaebf82bd69f67
SHA1 3fe1cce656e1308258f4780885fbf31eea2514fa
SHA256 36ecc50e077d570c0bd5ce5eba25d549d6ce1ac5aab35ceb508df81cd57772cc
SHA512 1056ad97f0d9b603adafed305bab7d7ae735458c5ef5a285c5b6c2db5d2870dd1bff9b26b2fb0bcddac10934bb36f8f0cfe38c897c6fc1affa0226bd802df994

memory/2576-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2216-31-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2576-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2496-33-0x000000006F620000-0x000000006FBCB000-memory.dmp

memory/2508-34-0x000000006F620000-0x000000006FBCB000-memory.dmp

memory/2508-35-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2496-36-0x000000006F620000-0x000000006FBCB000-memory.dmp

memory/2508-37-0x000000006F620000-0x000000006FBCB000-memory.dmp

memory/2576-38-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2508-39-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2496-41-0x00000000023E0000-0x0000000002420000-memory.dmp

memory/2508-42-0x00000000027C0000-0x0000000002800000-memory.dmp

memory/2496-43-0x00000000023E0000-0x0000000002420000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 85bffd716be6e64702dc8e2693af927a
SHA1 d58f548346ab9fa505123436417ca1641afd35e0
SHA256 2059609260ddce07580c17c044132f2c5c575b1db6afb39be627ace39c4f0623
SHA512 d0f4cdf19dbcad6b6259994eeac6dcb2a56360cd807fcad61e73aa1eb3724ade0fe3b10e63724387fe816c8751ba2ca66e69deef64eaecfd9d3594214e0a8761

memory/2508-50-0x000000006F620000-0x000000006FBCB000-memory.dmp

memory/2496-51-0x000000006F620000-0x000000006FBCB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\iZwbTl.exe

MD5 5d84f160cec1c7b8e83d6d9f90a612f0
SHA1 58f2e9216d4b29073376f6f607c16d03ba1c200f
SHA256 aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
SHA512 fd2c641a4d4a244b77ad0ce8870958fa05bf766bba65c08e0cabfd652d12e43367dfeb9ee2969e74fd95658a10d015738a6449f3da1f4148d953163c5ff4ccb7

memory/2576-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2576-127-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 01:24

Reported

2024-04-16 01:26

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe
PID 1616 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iZwbTl.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iZwbTl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp942D.tmp"

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

"C:\Users\Admin\AppData\Local\Temp\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1616-0-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/1616-1-0x0000000000960000-0x0000000000A2C000-memory.dmp

memory/1616-2-0x0000000005B50000-0x00000000060F4000-memory.dmp

memory/1616-3-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/1616-4-0x0000000005410000-0x0000000005420000-memory.dmp

memory/1616-5-0x0000000005420000-0x000000000542A000-memory.dmp

memory/1616-6-0x0000000005B20000-0x0000000005B32000-memory.dmp

memory/1616-7-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/1616-8-0x0000000005B40000-0x0000000005B48000-memory.dmp

memory/1616-9-0x0000000007EF0000-0x0000000007EFC000-memory.dmp

memory/1616-10-0x0000000005410000-0x0000000005420000-memory.dmp

memory/1616-11-0x0000000007FC0000-0x000000000804C000-memory.dmp

memory/1616-12-0x000000000A740000-0x000000000A7DC000-memory.dmp

memory/3348-15-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3348-16-0x0000000001760000-0x0000000001770000-memory.dmp

memory/3348-17-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/848-20-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/848-21-0x0000000004780000-0x0000000004790000-memory.dmp

memory/848-22-0x0000000004DC0000-0x00000000053E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp942D.tmp

MD5 b50da0f19dc66e40fddb3d54a0678a04
SHA1 c5f88fdc1d5b3457703ba70bb1b0c9335f2dce13
SHA256 497fd5eba57c1e8f8d510127bf9285e9f696948f7c7181afa04ea9eb64a9c63a
SHA512 fed389ca84cef54f75120db7504e45ac1fbb1edcc40ff87e721e419cc018b029a43c00fd5f85144cf0a5e149ec449b5031e7e8302bc4246d82a8bda2b04843d5

memory/3796-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3796-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3796-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3796-29-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109.exe

MD5 4b545f6eee3efe6ae2d162bfc67088fa
SHA1 2bba052522b3d8570df7f8875f2f3b9d496841f3
SHA256 de1a598505c47afc57ccd600c4c14ba710d1ab38ee12d696dfe8e30de7f3a1cf
SHA512 5c2d61fafe743f50227e04d67b66506cc0059511dec8896ef8cab1f746f8e699c06a5d56bf830fc09a9a4cce9cca084ebabec187d05c5f27e4004000a59e29ec

memory/848-36-0x0000000004C60000-0x0000000004C82000-memory.dmp

memory/1616-37-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3348-41-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/3348-42-0x00000000062D0000-0x0000000006336000-memory.dmp

C:\odt\OFFICE~1.EXE

MD5 f9f4a2054052e85c8c915a656d0d6c3c
SHA1 e95366e32ec596bac4349cb3c023856aeba1e131
SHA256 ffad1db689d19a1823f619aceda3eb5b5e9c5123105dd1eeacefc1e8d6066597
SHA512 f979845e71c88cbb29c22875b67517ff24ee2599795700c1fedf369ac2daf1655417fa46a36f831945e329b7a8e6d66b801c7c0b9536c41252ef32780862358c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckjr25uq.m1i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/848-62-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/848-63-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/848-64-0x0000000005D20000-0x0000000005D6C000-memory.dmp

memory/3348-65-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3348-66-0x0000000001760000-0x0000000001770000-memory.dmp

memory/848-67-0x0000000004780000-0x0000000004790000-memory.dmp

memory/848-68-0x000000007FC40000-0x000000007FC50000-memory.dmp

memory/848-69-0x0000000006230000-0x0000000006262000-memory.dmp

memory/3348-70-0x0000000071A20000-0x0000000071A6C000-memory.dmp

memory/3348-81-0x0000000006E40000-0x0000000006E5E000-memory.dmp

memory/848-80-0x0000000071A20000-0x0000000071A6C000-memory.dmp

memory/848-91-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/3348-92-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/848-93-0x0000000006F80000-0x0000000006F9A000-memory.dmp

memory/848-94-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

memory/3348-95-0x0000000007E40000-0x0000000007ED6000-memory.dmp

memory/3348-96-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/3348-97-0x0000000001760000-0x0000000001770000-memory.dmp

memory/848-98-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/3348-99-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

memory/3348-100-0x0000000001760000-0x0000000001770000-memory.dmp

memory/848-101-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3348-102-0x0000000006260000-0x0000000006274000-memory.dmp

memory/848-103-0x0000000005B40000-0x0000000005B5A000-memory.dmp

memory/848-104-0x0000000005B30000-0x0000000005B38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/848-109-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3348-108-0x0000000074AB0000-0x0000000075260000-memory.dmp

memory/3796-110-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\iZwbTl.exe

MD5 5d84f160cec1c7b8e83d6d9f90a612f0
SHA1 58f2e9216d4b29073376f6f607c16d03ba1c200f
SHA256 aec8415d0972e902d53d348ebc7beaf6c575f9ec6e12791173ab1d84e90a1109
SHA512 fd2c641a4d4a244b77ad0ce8870958fa05bf766bba65c08e0cabfd652d12e43367dfeb9ee2969e74fd95658a10d015738a6449f3da1f4148d953163c5ff4ccb7