Malware Analysis Report

2024-11-16 12:20

Sample ID 240416-kzfhpsfg6x
Target SOA of March.exe
SHA256 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9

Threat Level: Known bad

The file SOA of March.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 09:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 09:02

Reported

2024-04-16 09:04

Platform

win7-20240319-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1192 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 1192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 1192 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fxIsxsw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxIsxsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Network

N/A

Files

memory/1192-0-0x00000000002F0000-0x00000000003AC000-memory.dmp

memory/1192-1-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/1192-2-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/1192-3-0x0000000002180000-0x0000000002228000-memory.dmp

memory/1192-4-0x00000000002E0000-0x00000000002F2000-memory.dmp

memory/1192-5-0x0000000000620000-0x0000000000628000-memory.dmp

memory/1192-6-0x0000000000630000-0x000000000063C000-memory.dmp

memory/1192-7-0x0000000004E60000-0x0000000004EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp

MD5 b896f1018f48d8e00a61f56a7b90e730
SHA1 d35033684197da7256700050a499e3461ead7c05
SHA256 3345a898da97b06dbc8cc6f1696ee189b5e30b4998f695113faa9ab4aeaa6d23
SHA512 18182ce422de3cc66157518d0fcec044ba617ce15cce95f5c685fbcd3d71dc992228e06959532e3b2c48f441874e5f4d810d68d1124fb80880b69b1d9a807847

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f04c8a644436c5654da6897661856105
SHA1 e608b6d0dd28c3beccdb8056ba07a75a32f009e7
SHA256 00a15b4fcf83c8d9e4e5cdbf0f034ba0e8a081d21f94c2e4a239425590105136
SHA512 03647ada1ecd13c7cf68a9bdb2b7e1686a5028ebae8bbe053d8d11e0d08cd43d75446e750e08552557a60d8af51f5679e7d8c41a291a4ae9a41362bd3c140c64

memory/2792-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1192-34-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2536-35-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2748-36-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2536-38-0x0000000002640000-0x0000000002680000-memory.dmp

memory/2748-39-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2536-40-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2536-41-0x0000000002640000-0x0000000002680000-memory.dmp

memory/2748-42-0x00000000024C0000-0x0000000002500000-memory.dmp

memory/2536-43-0x0000000002640000-0x0000000002680000-memory.dmp

memory/2748-44-0x00000000024C0000-0x0000000002500000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 bebc581f9d4d0d3ece634da94ad8ebcd
SHA1 a8cedefcf19ca8bb54e4c399789cd35de1d7dcef
SHA256 5ebc7447d1890caf18b682c8c3305f33e8cc167ae761a0113af4c3cbe42bfa69
SHA512 6daa8aeaed7be1eeff335de2f3735a586422414d59d193a89fda485b4fef1c9e18efe3c923c54e331c53ee39ac9268a8da5cfe7250721de902d18a257f7f4fdd

memory/2536-52-0x000000006ED50000-0x000000006F2FB000-memory.dmp

memory/2748-51-0x000000006ED50000-0x000000006F2FB000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\fxIsxsw.exe

MD5 2f8cf1eacce33f87429c022d57a1ebea
SHA1 a9ebe3f2e6de49eda0493cbae362d2b033461243
SHA256 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
SHA512 54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 09:02

Reported

2024-04-16 09:04

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5112 set thread context of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\SOA of March.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe
PID 5112 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\SOA of March.exe C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fxIsxsw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxIsxsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA of March.exe

"C:\Users\Admin\AppData\Local\Temp\SOA of March.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/5112-0-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/5112-1-0x0000000000820000-0x00000000008DC000-memory.dmp

memory/5112-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/5112-3-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/5112-4-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/5112-5-0x00000000052C0000-0x00000000052CA000-memory.dmp

memory/5112-6-0x0000000006920000-0x00000000069C8000-memory.dmp

memory/5112-7-0x00000000056B0000-0x00000000056C2000-memory.dmp

memory/5112-8-0x00000000058D0000-0x00000000058D8000-memory.dmp

memory/5112-9-0x00000000069E0000-0x00000000069EC000-memory.dmp

memory/5112-10-0x0000000006A40000-0x0000000006ACC000-memory.dmp

memory/5112-11-0x0000000009170000-0x000000000920C000-memory.dmp

memory/5112-17-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2404-16-0x00000000028A0000-0x00000000028D6000-memory.dmp

memory/2404-18-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2404-19-0x0000000002850000-0x0000000002860000-memory.dmp

memory/2404-20-0x0000000002850000-0x0000000002860000-memory.dmp

memory/2404-21-0x0000000005340000-0x0000000005968000-memory.dmp

memory/1976-22-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/1976-23-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/5112-24-0x00000000055A0000-0x00000000055B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6B29.tmp

MD5 bb288e8c44ee9e4cdc7598ee8093ec00
SHA1 60c64947c398c85d807314075e349f5dadc08a8e
SHA256 4a0f7be643aac352acc3e7ef56788efc149609009b8bf7a1bdceb2f0277b7dc8
SHA512 7d8940a138415cd3feb1ba6efb40be44c289905502085ce244e889cb596d8914ccf5bab035f896d06c8f74c31e135df5ae14ef092aabf1643bc2bd405ce8986c

memory/2404-26-0x00000000050E0000-0x0000000005102000-memory.dmp

memory/1976-27-0x0000000004EC0000-0x0000000004F26000-memory.dmp

memory/828-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1976-30-0x0000000004FE0000-0x0000000005046000-memory.dmp

memory/828-29-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnjowf44.5s0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/828-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/828-38-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5112-39-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\SOA of March.exe

MD5 311fc7d3b1c40b9d54449b4438aec966
SHA1 9ade2bc2022780482f48903261241951561ca1ef
SHA256 c5aac26124429fbf9712105ffae772d81190c6af63d241c92e0432f96da25f58
SHA512 81545eca187040fd181c62312cc8c29c4b51cacf8ff350b124caa2cb49034068b5e34dbe43aef79968ff735f5892049a1d6e5ba484cc4bc1d69eef0bd9f27e4f

memory/1976-61-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\odt\OFFICE~1.EXE

MD5 fbc1e76b3f41cc4535c5825eedce8c54
SHA1 df182b9b246b56acb5038ea1be83a93be8eafa65
SHA256 83a65f929644e17bfcf2f1072e5c69543d713abe0766ae5c67223e8c71ba2c5b
SHA512 7e9a3f984aa64717cbd18434326ed9820b0977682ec4ee0ecc07c2dabf0347063e9cf3cc189acbb6d5dd6497a184b72273e64281820af623a96fc67d1e8f3926

memory/2404-65-0x00000000061D0000-0x00000000061EE000-memory.dmp

memory/2404-66-0x0000000006200000-0x000000000624C000-memory.dmp

memory/2404-68-0x0000000002850000-0x0000000002860000-memory.dmp

memory/1976-67-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/1976-70-0x000000007FA30000-0x000000007FA40000-memory.dmp

memory/2404-69-0x000000007F440000-0x000000007F450000-memory.dmp

memory/2404-72-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1976-82-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/2404-90-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/1976-71-0x0000000006270000-0x00000000062A2000-memory.dmp

memory/1976-93-0x0000000006E70000-0x0000000006F13000-memory.dmp

memory/1976-94-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/2404-95-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/1976-96-0x0000000007010000-0x000000000701A000-memory.dmp

memory/2404-97-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/1976-98-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/2404-99-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2404-100-0x0000000007730000-0x000000000773E000-memory.dmp

memory/2404-101-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/2404-102-0x0000000007830000-0x000000000784A000-memory.dmp

memory/1976-103-0x00000000072E0000-0x00000000072E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1976-108-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2404-109-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Roaming\fxIsxsw.exe

MD5 2f8cf1eacce33f87429c022d57a1ebea
SHA1 a9ebe3f2e6de49eda0493cbae362d2b033461243
SHA256 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
SHA512 54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18

memory/828-207-0x0000000000400000-0x000000000041B000-memory.dmp