Malware Analysis Report

2024-11-16 12:14

Sample ID 240715-bc8rastbna
Target 5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8
SHA256 5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8

Threat Level: Known bad

The file 5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8 was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 01:01

Reported

2024-07-15 01:03

Platform

win7-20240705-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 2940 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp"

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

Network

N/A

Files

memory/2940-0-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

memory/2940-1-0x0000000000930000-0x00000000009F8000-memory.dmp

memory/2940-2-0x0000000073D00000-0x00000000743EE000-memory.dmp

memory/2940-3-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/2940-4-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2940-5-0x0000000000540000-0x000000000054E000-memory.dmp

memory/2940-6-0x0000000005040000-0x00000000050CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a7381ccab7a782debe19089c38a3ba84
SHA1 fac07d61ea9acd4fcd57669f5c74a8e26d2d13e6
SHA256 53c2eb79820dc3df372120a2947005fafed2f7bf03ab3a07c5189035516e3206
SHA512 2cf16bbd6d555afa2ce38e82f90fdd096133223f0fd5629f989fc4e423abd0326f7d25398e85ef306d4443749c12cd6857c1c34687abd3b4cc1ddc4ed69a9e94

C:\Users\Admin\AppData\Local\Temp\tmp2B83.tmp

MD5 77256518507ff20ac444dd1e3085faf7
SHA1 d87197e3c60b7104cb2dab98436143b0520d726e
SHA256 83fcc43a114b74232fe9cc4cb0b57a557b5407329273a41e37ea63ac84ac3bc9
SHA512 82375e6c55af7ae6fce247c2cbad8b68d30e972d3a4e81b9040ae5d128bb5262b8b1d8432c4901d55edb367ae5871107cdf7bed320e9369ec89afe628c08ac16

memory/2768-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-35-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-31-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2940-39-0x0000000073D00000-0x00000000743EE000-memory.dmp

C:\Windows\svchost.com

MD5 96e2c09b65a50cbb7e356a424ed0b33e
SHA1 dfbb66c66cb04da9f84eb94c85b091b4df4d0dc8
SHA256 f78457214e117dbcd8ee7afa47360b82de3141e7771077c653d4b8e847697043
SHA512 93f724d9d49a6c4c764ddf3150c1ef5efab93ac415917cebab1766080d5b0a6cebd3f9b1b8b98861a44af68f5c8dc9bc3d67f85fec4506d0fce67d96b4ae646a

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\EIVFWX~1.EXE

MD5 0fecd3f4252bf58c46741b75fbeed3d2
SHA1 049b53abba916872ff512923decab15b077e52e5
SHA256 5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8
SHA512 0108e1cd8cf6be164977c7536bc65552cde03f9d82d5be8f597f95195aa3188a22da0d0d38d162a5a6c4aa5693ba8df7a3d24823d9a3dd1ab078d0798e983e31

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 01:01

Reported

2024-07-15 01:03

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 928 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe
PID 928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB863.tmp"

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

"C:\Users\Admin\AppData\Local\Temp\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/928-0-0x000000007517E000-0x000000007517F000-memory.dmp

memory/928-1-0x0000000000770000-0x0000000000838000-memory.dmp

memory/928-2-0x0000000005720000-0x0000000005CC4000-memory.dmp

memory/928-3-0x0000000005220000-0x00000000052B2000-memory.dmp

memory/928-4-0x0000000075170000-0x0000000075920000-memory.dmp

memory/928-5-0x00000000053D0000-0x00000000053DA000-memory.dmp

memory/928-6-0x0000000006CB0000-0x0000000006CC2000-memory.dmp

memory/928-7-0x00000000064E0000-0x00000000064E8000-memory.dmp

memory/928-8-0x00000000064F0000-0x00000000064FE000-memory.dmp

memory/928-9-0x0000000006550000-0x00000000065DE000-memory.dmp

memory/928-10-0x00000000091B0000-0x000000000924C000-memory.dmp

memory/4076-15-0x00000000044B0000-0x00000000044E6000-memory.dmp

memory/4076-16-0x0000000075170000-0x0000000075920000-memory.dmp

memory/4076-17-0x0000000004B20000-0x0000000005148000-memory.dmp

memory/4076-18-0x0000000075170000-0x0000000075920000-memory.dmp

memory/3376-19-0x0000000075170000-0x0000000075920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB863.tmp

MD5 6bd29c23d4fd5216caf7ea08408d57b9
SHA1 06ff6ad6acba395c906be9e48f2d134eed11610d
SHA256 82344290366c3e080ec892e3bdd182fa153840c258a27e31fdff45ea6409442c
SHA512 a707ac8efc23cad42b32f25f2cd04f74559851aa08c3e7c10ae83fb3ed15381dd66859d3105d3382c7af2f24246eb023803a5783670d4e6602518b9884befb4c

memory/3376-24-0x0000000075170000-0x0000000075920000-memory.dmp

memory/4076-25-0x0000000075170000-0x0000000075920000-memory.dmp

memory/4076-23-0x00000000051C0000-0x0000000005226000-memory.dmp

memory/4076-22-0x0000000005150000-0x00000000051B6000-memory.dmp

memory/4076-21-0x0000000004A30000-0x0000000004A52000-memory.dmp

memory/4076-40-0x0000000005420000-0x0000000005774000-memory.dmp

memory/3376-45-0x0000000075170000-0x0000000075920000-memory.dmp

memory/1676-47-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1676-46-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rauafjz4.qql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/928-50-0x0000000075170000-0x0000000075920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8.exe

MD5 e103a54df0181beef0b0c886aa14b1c9
SHA1 2267229d7d14f1786be26f32ccd3ea5457628cba
SHA256 88e7bc60f163ebd944e422155a0ec359e4ed493342fe3a94324ae549e543d69a
SHA512 888a52985aa4a4e213b85b84a4141d45d07acedc0f5f761a33180cb51dd59b049710423041608622e36754efd5d904bcb4800c1df12ebc2379b6d86bf85fbf57

memory/3376-57-0x0000000006270000-0x000000000628E000-memory.dmp

memory/3376-59-0x0000000006300000-0x000000000634C000-memory.dmp

C:\Windows\svchost.com

MD5 96e2c09b65a50cbb7e356a424ed0b33e
SHA1 dfbb66c66cb04da9f84eb94c85b091b4df4d0dc8
SHA256 f78457214e117dbcd8ee7afa47360b82de3141e7771077c653d4b8e847697043
SHA512 93f724d9d49a6c4c764ddf3150c1ef5efab93ac415917cebab1766080d5b0a6cebd3f9b1b8b98861a44af68f5c8dc9bc3d67f85fec4506d0fce67d96b4ae646a

memory/4076-63-0x0000000006990000-0x00000000069C2000-memory.dmp

memory/4076-64-0x00000000716B0000-0x00000000716FC000-memory.dmp

memory/4076-74-0x0000000006970000-0x000000000698E000-memory.dmp

memory/4076-75-0x0000000006A10000-0x0000000006AB3000-memory.dmp

memory/4076-76-0x0000000007380000-0x00000000079FA000-memory.dmp

memory/4076-77-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/3376-78-0x00000000716B0000-0x00000000716FC000-memory.dmp

memory/4076-88-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

memory/4076-89-0x0000000006FC0000-0x0000000007056000-memory.dmp

memory/4076-90-0x0000000006F40000-0x0000000006F51000-memory.dmp

memory/4076-105-0x0000000006F70000-0x0000000006F7E000-memory.dmp

memory/4076-106-0x0000000006F80000-0x0000000006F94000-memory.dmp

memory/4076-107-0x0000000007080000-0x000000000709A000-memory.dmp

memory/4076-108-0x0000000007060000-0x0000000007068000-memory.dmp

memory/4076-155-0x0000000075170000-0x0000000075920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0360bff321ac84de74a95d5d093e841
SHA1 43b53aed3626eff8fbe95136f89bee780b01f489
SHA256 4bab5e4f88b0fe76bc49a2bfb2fa4de5a0c7b0f97800c8197a933db2b1d004d8
SHA512 402d54dfb616e20ffd0cfe319d9a788e7d23f6e45ccca955756d2e49e2b188d0de5ddde89ad73078030b24c9a2ed846ea501dc5f2c02a9c1990fe2a7492311db

memory/3376-161-0x0000000075170000-0x0000000075920000-memory.dmp

C:\Users\Admin\AppData\Roaming\EIVFWX~1.EXE

MD5 0fecd3f4252bf58c46741b75fbeed3d2
SHA1 049b53abba916872ff512923decab15b077e52e5
SHA256 5ae5659de5b65e4f2c1352cfa09798c791c22a310e1aa438d0901c9eec501fc8
SHA512 0108e1cd8cf6be164977c7536bc65552cde03f9d82d5be8f597f95195aa3188a22da0d0d38d162a5a6c4aa5693ba8df7a3d24823d9a3dd1ab078d0798e983e31