Malware Analysis Report

2024-11-16 12:20

Sample ID 240416-myeacsgf24
Target PO0130717.zip
SHA256 345c9e1d0f7acf8e08d4831daacc56a1c8c57299c75895fb0783c891750eb509
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

345c9e1d0f7acf8e08d4831daacc56a1c8c57299c75895fb0783c891750eb509

Threat Level: Known bad

The file PO0130717.zip was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Modifies system executable filetype association

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 10:52

Reported

2024-04-16 10:54

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1980 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hiOUFxAiUxx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hiOUFxAiUxx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp712A.tmp"

C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

Network

N/A

Files

memory/1980-0-0x00000000002F0000-0x00000000003AC000-memory.dmp

memory/1980-1-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/1980-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

memory/1980-3-0x00000000046B0000-0x0000000004758000-memory.dmp

memory/1980-4-0x00000000003F0000-0x0000000000402000-memory.dmp

memory/1980-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/1980-6-0x00000000008A0000-0x00000000008AC000-memory.dmp

memory/1980-7-0x0000000004B40000-0x0000000004BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp712A.tmp

MD5 bf631765e25b685f9267ecdceed1065e
SHA1 a0f50ef7f10d6fc4227d329b0a5e99453e0c58c0
SHA256 01f442d4aba3a844c6fb10e388b763a616fd3a6d87ee34d0873ae1c472cf2fab
SHA512 235e5e34d6e4d27726b4e6457e123459ce7f283753b8575f661a9d7e2edd99cf9dcad30a0781d08f2d73c846c07e18c0a959661037af14ba96abaf8df314dceb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M2YOGPVQZ9FTNHEQFZ6M.temp

MD5 c028bf75c949cf0191e5d6413ffaaa42
SHA1 55924f926c8f0ba9e14780d5be1334adaabf6324
SHA256 69182af2574fad4dee447365d79523be0845d9c588d3efaeb58163126adeae50
SHA512 c798f432bf7a73505ba8d2e3039cc594dfeb88c1662ad8eac8d473d8cdac6d04d995331110c1d49d5a2348e740e2389368b006901ab70e4cf2c7d0184ed7f3c7

memory/2472-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1980-31-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/2472-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-32-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 fdacb2723792c8f3e955269ff462016b
SHA1 5bbd977aeeea84f59da3369766d24fa99b4095bd
SHA256 7a63293842c544205e6cdc614bb6cdb2c1a487e08b27fe35a76bdd1d8b111d60
SHA512 a092ade53a0a4f3cbf27629ec57d176a8de1c5a57a61688c604468e6f85c0301388e66f3a4c4e6b0cc6f097064a6f27e84b9a5a5896148078c0752bb2cdd63d1

memory/2572-41-0x000000006FBB0000-0x000000007015B000-memory.dmp

memory/2632-42-0x000000006FBB0000-0x000000007015B000-memory.dmp

memory/2572-43-0x0000000001E00000-0x0000000001E40000-memory.dmp

memory/2632-44-0x00000000023D0000-0x0000000002410000-memory.dmp

memory/2572-45-0x0000000001E00000-0x0000000001E40000-memory.dmp

memory/2632-46-0x00000000023D0000-0x0000000002410000-memory.dmp

memory/2572-48-0x000000006FBB0000-0x000000007015B000-memory.dmp

memory/2472-47-0x0000000000400000-0x000000000041B000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2632-55-0x000000006FBB0000-0x000000007015B000-memory.dmp

memory/2572-56-0x000000006FBB0000-0x000000007015B000-memory.dmp

C:\Users\Admin\AppData\Roaming\HIOUFX~1.EXE

MD5 a91dab24aa90fa6115cd9a6d496aef47
SHA1 f6713efef793510d67b672eb85e52582e02be38c
SHA256 179e9673e3cbfd035d528f744f3eb88c65583089bb78d744f2c380be3bf3540a
SHA512 99c00a94d63d316208b8fe3e1a247cd95662348d85e713080f6de8c5a496161f04a30b7a9373aa1ee62cc3fef25244cf735d70f84d10a0bfd87547f6dbe5adec

memory/2472-124-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2472-126-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 10:52

Reported

2024-04-16 10:54

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1804 set thread context of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO0130717.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1804 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Windows\SysWOW64\schtasks.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe
PID 1804 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO0130717.exe C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hiOUFxAiUxx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hiOUFxAiUxx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B91.tmp"

C:\Users\Admin\AppData\Local\Temp\PO0130717.exe

"C:\Users\Admin\AppData\Local\Temp\PO0130717.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3960 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

memory/1804-0-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/1804-1-0x00000000000E0000-0x000000000019C000-memory.dmp

memory/1804-2-0x0000000005210000-0x00000000057B4000-memory.dmp

memory/1804-3-0x0000000004B70000-0x0000000004C02000-memory.dmp

memory/1804-4-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/1804-5-0x0000000004D50000-0x0000000004D5A000-memory.dmp

memory/1804-6-0x0000000006230000-0x00000000062D8000-memory.dmp

memory/1804-7-0x0000000004E80000-0x0000000004E92000-memory.dmp

memory/1804-8-0x00000000051C0000-0x00000000051C8000-memory.dmp

memory/1804-9-0x00000000051D0000-0x00000000051DC000-memory.dmp

memory/1804-10-0x0000000006310000-0x000000000639C000-memory.dmp

memory/1804-11-0x0000000008A30000-0x0000000008ACC000-memory.dmp

memory/1804-12-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/1804-13-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/976-17-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/976-16-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/976-18-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/4560-22-0x0000000005420000-0x0000000005A48000-memory.dmp

memory/4560-24-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/4560-23-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/4560-21-0x0000000074C10000-0x00000000753C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B91.tmp

MD5 3aa9852f4751948032df7a906d4e2da2
SHA1 9f37e119799c63a5b724a598a10538c13bb8c951
SHA256 a9e97f8e7ab0123d4ad03652a894252b5e112b0cc3a12abca6ac2e21994614fd
SHA512 91dc9b7563715580d1787521b852ed4f28e5533f7ad0bff8f31b77a820ac54e1cc3f83ed5c1092d7d006908d06ddb799de73ae3ab99d6754f20ef53bca0ade34

memory/2464-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2464-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2464-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2464-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4560-32-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/1804-33-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/976-34-0x0000000005690000-0x00000000056F6000-memory.dmp

memory/976-35-0x0000000005EC0000-0x0000000005F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmxdo31o.vbz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\3582-490\PO0130717.exe

MD5 d9861436812dcd12d184cc62640e9261
SHA1 2174e40f48b48311edbc22b285aed597d12d8edd
SHA256 bd0188dd00359c6e23c9486155b0a87051584f3e8ba11339e73b2e0029dcfeb8
SHA512 db4ad376082d47f5ab496252a3448f9e76c42b4becab3d9b30034d779c7bc0e0d3a027f2412752e69b23e4de90af0e32cfcb286c8743450e3e016dd6f67bcee6

C:\odt\OFFICE~1.EXE

MD5 4c1baa508327445cb939e1a7a8fadb4f
SHA1 8b5dbc68216a9c7dce0eab52240d661fbd44942f
SHA256 fae835159be37b0355d733b5d8572cea27f5f3e85b5798dd8b38b65b4f980c16
SHA512 a818189c36b85baf82b1a4fac484d4d45f4bbd4b6d6e8c9166e7a1f5105b55b457302031bb360239c04b40ea658f9ba37922f3924c358afd0c8f417b43ed42c1

memory/4560-64-0x0000000005E60000-0x00000000061B4000-memory.dmp

memory/4560-65-0x0000000006310000-0x000000000632E000-memory.dmp

memory/976-66-0x0000000006530000-0x000000000657C000-memory.dmp

memory/976-67-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/976-69-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/976-68-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4560-70-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/976-71-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4560-72-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/976-73-0x000000007F510000-0x000000007F520000-memory.dmp

memory/4560-74-0x0000000006960000-0x0000000006992000-memory.dmp

memory/976-75-0x0000000071050000-0x000000007109C000-memory.dmp

memory/4560-76-0x0000000071050000-0x000000007109C000-memory.dmp

memory/4560-95-0x0000000006940000-0x000000000695E000-memory.dmp

memory/4560-96-0x00000000073F0000-0x0000000007493000-memory.dmp

memory/976-97-0x0000000007EC0000-0x000000000853A000-memory.dmp

memory/976-98-0x0000000007870000-0x000000000788A000-memory.dmp

memory/4560-99-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/4560-100-0x0000000007710000-0x000000000771A000-memory.dmp

memory/976-102-0x0000000007B10000-0x0000000007BA6000-memory.dmp

memory/2464-101-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4560-103-0x00000000078A0000-0x00000000078B1000-memory.dmp

memory/4560-104-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/976-105-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

memory/976-106-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/4560-107-0x0000000007920000-0x0000000007928000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3b91d5dbeaa98b75c4ac0f2bc3b39df
SHA1 e0bcde70259cab76a0a379e34cdd0d8b6faf4e34
SHA256 a7db6f3814b3c1cdc246da9e063a2dd6ada5907e855dd81adae4d6b452e54000
SHA512 bb74c07e4b649fbc1f0c454411ace74ba6983d362abefad595a91d5966f3a18a615f0446a039845c894824b7af5f76ecaafdc0f1c6b14504cffe261363890647

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4560-113-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/976-114-0x0000000074C10000-0x00000000753C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\HIOUFX~1.EXE

MD5 a91dab24aa90fa6115cd9a6d496aef47
SHA1 f6713efef793510d67b672eb85e52582e02be38c
SHA256 179e9673e3cbfd035d528f744f3eb88c65583089bb78d744f2c380be3bf3540a
SHA512 99c00a94d63d316208b8fe3e1a247cd95662348d85e713080f6de8c5a496161f04a30b7a9373aa1ee62cc3fef25244cf735d70f84d10a0bfd87547f6dbe5adec