Malware Analysis Report

2024-11-16 12:20

Sample ID 240416-d775csad7x
Target SOA of March.zip
SHA256 7abc1b8fa874b4404c929fb286e8d9b14a431e56e4ade13833390e1f9e3baf19
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7abc1b8fa874b4404c929fb286e8d9b14a431e56e4ade13833390e1f9e3baf19

Threat Level: Known bad

The file SOA of March.zip was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Detect Neshta payload

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 03:40

Reported

2024-04-16 03:42

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1392 set thread context of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1392 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1392 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fxIsxsw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxIsxsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86BD.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Network

N/A

Files

memory/1392-0-0x0000000000880000-0x000000000093C000-memory.dmp

memory/1392-1-0x0000000074870000-0x0000000074F5E000-memory.dmp

memory/1392-2-0x00000000047E0000-0x0000000004820000-memory.dmp

memory/1392-3-0x0000000004230000-0x00000000042D8000-memory.dmp

memory/1392-4-0x0000000000260000-0x0000000000272000-memory.dmp

memory/1392-5-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/1392-6-0x0000000000300000-0x000000000030C000-memory.dmp

memory/1392-7-0x0000000004FA0000-0x000000000502C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp86BD.tmp

MD5 cf4595f6bb9662693c7a41a444e24884
SHA1 0a164f0f8e1ca4cb7c6d40ac9a8636fea39cbc14
SHA256 ecf2b3a5cfeb2ac8783b492d341e874fd4c2f2b79070fde6394a41b47ca3bd08
SHA512 a73219861a4673ad490d9988c212ecd06a61a2acaa036f901932de8bfa484b3d4c697217ab2f16ecf85eca4031770dca4d1d08f41d7a59d054f1c0c72026b3e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bacc82688141563bb2b6027d574d4e90
SHA1 49301e34d1ed8a5c28abaac4d873735340ace04b
SHA256 7d77dcc6dbde192b3535d181fb6db9dd3883d9f13d410c81be5fad5d5c17ac60
SHA512 4e3c9d90061b86f65ada9ac3fb28036074e9e38a8c6381af4558025c08627f03677f7107fe6fa6e9d63388bbdf1f4b5bc7203954df675491c487c5a1a0891d3d

memory/2436-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2436-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1392-31-0x0000000074870000-0x0000000074F5E000-memory.dmp

memory/2436-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-32-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 bebc581f9d4d0d3ece634da94ad8ebcd
SHA1 a8cedefcf19ca8bb54e4c399789cd35de1d7dcef
SHA256 5ebc7447d1890caf18b682c8c3305f33e8cc167ae761a0113af4c3cbe42bfa69
SHA512 6daa8aeaed7be1eeff335de2f3735a586422414d59d193a89fda485b4fef1c9e18efe3c923c54e331c53ee39ac9268a8da5cfe7250721de902d18a257f7f4fdd

memory/2532-38-0x000000006E340000-0x000000006E8EB000-memory.dmp

memory/2724-40-0x000000006E340000-0x000000006E8EB000-memory.dmp

memory/2532-43-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/2724-44-0x000000006E340000-0x000000006E8EB000-memory.dmp

memory/2532-45-0x000000006E340000-0x000000006E8EB000-memory.dmp

memory/2724-46-0x0000000002780000-0x00000000027C0000-memory.dmp

memory/2532-47-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/2436-48-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2724-49-0x0000000002780000-0x00000000027C0000-memory.dmp

memory/2532-50-0x000000006E340000-0x000000006E8EB000-memory.dmp

memory/2724-51-0x000000006E340000-0x000000006E8EB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\fxIsxsw.exe

MD5 2f8cf1eacce33f87429c022d57a1ebea
SHA1 a9ebe3f2e6de49eda0493cbae362d2b033461243
SHA256 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
SHA512 54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18

memory/2436-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2436-127-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 03:40

Reported

2024-04-16 03:42

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3944 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 3944 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 3944 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 3944 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fxIsxsw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxIsxsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A26.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/3944-0-0x0000000000DE0000-0x0000000000E9C000-memory.dmp

memory/3944-1-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3944-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/3944-3-0x0000000005880000-0x0000000005912000-memory.dmp

memory/3944-4-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/3944-5-0x0000000005930000-0x000000000593A000-memory.dmp

memory/3944-6-0x0000000006F50000-0x0000000006FF8000-memory.dmp

memory/3944-7-0x0000000005B60000-0x0000000005B72000-memory.dmp

memory/3944-8-0x0000000005B90000-0x0000000005B98000-memory.dmp

memory/3944-9-0x0000000005CC0000-0x0000000005CCC000-memory.dmp

memory/3944-10-0x0000000006B70000-0x0000000006BFC000-memory.dmp

memory/3944-11-0x00000000093C0000-0x000000000945C000-memory.dmp

memory/4656-16-0x0000000004870000-0x00000000048A6000-memory.dmp

memory/4656-18-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/4656-19-0x0000000004920000-0x0000000004930000-memory.dmp

memory/4656-17-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/4656-20-0x0000000004920000-0x0000000004930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A26.tmp

MD5 fc32a5e7cc6decf6e28c52e2f815da88
SHA1 22b9d927b268d70e717b9afed6b99ec9e9ac4954
SHA256 4c237fd4bcf55d6f4fd13e84dbd4e9d8bd213fbf69a045a9a2a51f5a10c3d7ba
SHA512 0fae184127faace7804fcd4be0bdf2af6a4950df013e762b7a6e0dbf6cac19021ec4d11f211874df6da4d4102ab79c30f67e6d81d503321743a4bf0c7b0a735a

memory/4656-21-0x0000000004D10000-0x0000000004D32000-memory.dmp

memory/2884-23-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/2884-24-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2884-25-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/4656-26-0x0000000005700000-0x0000000005766000-memory.dmp

memory/4656-32-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvgaufny.nyf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3944-47-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1884-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1884-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2884-46-0x0000000005950000-0x0000000005CA4000-memory.dmp

memory/1884-38-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1884-37-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4656-54-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\SOA of March.exe

MD5 311fc7d3b1c40b9d54449b4438aec966
SHA1 9ade2bc2022780482f48903261241951561ca1ef
SHA256 c5aac26124429fbf9712105ffae772d81190c6af63d241c92e0432f96da25f58
SHA512 81545eca187040fd181c62312cc8c29c4b51cacf8ff350b124caa2cb49034068b5e34dbe43aef79968ff735f5892049a1d6e5ba484cc4bc1d69eef0bd9f27e4f

memory/4656-64-0x0000000006340000-0x000000000638C000-memory.dmp

memory/4656-66-0x000000007F460000-0x000000007F470000-memory.dmp

memory/4656-65-0x00000000063B0000-0x00000000063E2000-memory.dmp

memory/4656-67-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/4656-77-0x0000000006300000-0x000000000631E000-memory.dmp

memory/4656-78-0x0000000006DF0000-0x0000000006E93000-memory.dmp

memory/2884-79-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/2884-89-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2884-90-0x0000000007930000-0x0000000007FAA000-memory.dmp

memory/4656-91-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 663ed8b7c46f3b72587318e591f4a361
SHA1 c44d4014b06be83fadaa9c5a47ce00b18af69969
SHA256 5517b70a239e535f85a736e87c5deddec7dc48cb661cb042c51856d24abcd337
SHA512 274a4d9707c66acb916e1fdaeded258319dff6e334242534bd19a6324766985a5c145cc65097020302029c2957b8534f10bbadb1ba1c6d0a59500b013b9a0afd

memory/2884-101-0x0000000007090000-0x000000000709A000-memory.dmp

memory/4656-107-0x00000000073B0000-0x0000000007446000-memory.dmp

memory/4656-108-0x0000000007310000-0x0000000007321000-memory.dmp

memory/2884-135-0x0000000007460000-0x000000000746E000-memory.dmp

memory/2884-145-0x0000000007470000-0x0000000007484000-memory.dmp

memory/2884-158-0x0000000007570000-0x000000000758A000-memory.dmp

memory/2884-159-0x0000000007550000-0x0000000007558000-memory.dmp

memory/4656-177-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9777972d2acd2994c3414393392e86a5
SHA1 55f4cd2bf8c0e63fd55e8b831d2cdd3503cd5cc8
SHA256 18ed27512a21e119f587f94310762f19570af7621a5955fabcde5882d462f853
SHA512 4620c31b9335db37b0b88e451402d05c0d2a3c386ec0f750db468b40bc08f3363b1f6d68fbc803db24e5ccf4f94cb882669afcf9f07052a16ce851a22ad95c6c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2884-181-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\fxIsxsw.exe

MD5 2f8cf1eacce33f87429c022d57a1ebea
SHA1 a9ebe3f2e6de49eda0493cbae362d2b033461243
SHA256 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
SHA512 54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18

memory/1884-194-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1884-196-0x0000000000400000-0x000000000041B000-memory.dmp