Malware Analysis Report

2024-11-16 12:14

Sample ID 240717-jbee3atela
Target PO supplies 15 7 24.exe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e

Threat Level: Known bad

The file PO supplies 15 7 24.exe was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 07:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 07:29

Reported

2024-07-17 07:31

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 2220 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EF2.tmp"

C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

Network

N/A

Files

memory/2220-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/2220-1-0x0000000000EE0000-0x0000000000F9C000-memory.dmp

memory/2220-2-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2220-3-0x00000000007E0000-0x00000000007FA000-memory.dmp

memory/2220-4-0x0000000000A50000-0x0000000000A5E000-memory.dmp

memory/2220-5-0x0000000004D60000-0x0000000004DEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5EF2.tmp

MD5 88549359d42b704d5b3f01345f723b23
SHA1 26e7a0e6db865de62ca1c4a1706cdd43cb2a9c83
SHA256 c7338e8e0433f9b3f7b28fe26250a0b133c8bc5e6fc03c6a1ffba5dc7d680e44
SHA512 542a4542b1ae6ec82ecee5fa1561da65570699ad0262d5a67b414e9c7801097bbac8ea03489c4a46283ae6d9ae3772d8274a01fb3e894163459f7c4f43688aac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8e5b177180921e339ed15144da8c1505
SHA1 9d2f84a66db0f55610e6c44d1aa354abcfe7b519
SHA256 2c04eb4ed3d17512787366278a3500a1b0e7a890228c8ab9a6ae0846392433f4
SHA512 5cc45c69d99b0f6ec2b7524240086b924f52e3a995fc7e01f7d134fd7e93ac9394c76f66733f3362c40b9d6b70bc2d3f60589829dfbf44acc4f4ec07ea53ff8c

memory/2588-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2588-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2588-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2220-36-0x0000000074950000-0x000000007503E000-memory.dmp

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 07:29

Reported

2024-07-17 07:31

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5072 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe
PID 5072 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp"

C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe

"C:\Users\Admin\AppData\Local\Temp\PO supplies 15 7 24.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/5072-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/5072-1-0x0000000000430000-0x00000000004EC000-memory.dmp

memory/5072-2-0x0000000005480000-0x0000000005A24000-memory.dmp

memory/5072-3-0x0000000004ED0000-0x0000000004F62000-memory.dmp

memory/5072-5-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/5072-4-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/5072-6-0x00000000053E0000-0x00000000053FA000-memory.dmp

memory/5072-7-0x0000000005410000-0x000000000541E000-memory.dmp

memory/5072-8-0x0000000006130000-0x00000000061BE000-memory.dmp

memory/5072-9-0x0000000009C00000-0x0000000009C9C000-memory.dmp

memory/2516-14-0x0000000003020000-0x0000000003056000-memory.dmp

memory/2516-16-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2516-15-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/2516-17-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2516-20-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/2516-19-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/2516-18-0x0000000005890000-0x00000000058B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y11mofsz.5ya.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp

MD5 19c2e4bf3a5d68bb54f2d7a6b88f53aa
SHA1 73c082cf43d143bc5813f336b3a03e4a9edc2511
SHA256 b9348136664f3b5a79442643a86a13622cbc536dec22c735ddd7118a0fc41180
SHA512 fb6812b577d6b2ed500717ab456ac4ec9ebbd7b10a1c756b05456c422aa06261708731b13ae52744d0d5978863fd1ea1149248e77e5075c88605c075f0bbc0f8

memory/2516-38-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2516-37-0x0000000006360000-0x00000000066B4000-memory.dmp

memory/3308-42-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4496-43-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3308-45-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/3308-48-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4496-44-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5072-49-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2516-50-0x0000000006910000-0x000000000692E000-memory.dmp

memory/2516-51-0x0000000006F20000-0x0000000006F6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\PO supplies 15 7 24.exe

MD5 ae303747897daf45e48698d2ae593960
SHA1 b9349e9bf97e84e1490450a6a71f364a8a18ba40
SHA256 6ad9d05e2f8ab4b9050da219cc18aef707fd79ff7ee6e108bfb5f1d262c26dbb
SHA512 6386c4b064a957481a52faf153fc93af4029f2ade078656a359a8e0398c0329df6a903062a16868dc69efb06489af61a52aeccea4958402ddf46315f0b6ff16b

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

memory/2516-62-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

memory/2516-63-0x0000000075AA0000-0x0000000075AEC000-memory.dmp

memory/2516-73-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/2516-74-0x0000000007B20000-0x0000000007BC3000-memory.dmp

memory/3308-89-0x0000000075AA0000-0x0000000075AEC000-memory.dmp

memory/2516-100-0x0000000007C50000-0x0000000007C6A000-memory.dmp

memory/2516-99-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/2516-101-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

memory/2516-103-0x0000000007ED0000-0x0000000007F66000-memory.dmp

memory/3308-118-0x0000000007150000-0x0000000007161000-memory.dmp

memory/3308-150-0x0000000007180000-0x000000000718E000-memory.dmp

memory/3308-154-0x0000000007190000-0x00000000071A4000-memory.dmp

memory/3308-161-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/2516-162-0x0000000007F70000-0x0000000007F78000-memory.dmp

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1

memory/3308-181-0x00000000751F0000-0x00000000759A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2516-185-0x00000000751F0000-0x00000000759A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3e2dcc978169d44492dab1a94c1597ba
SHA1 4b91ebbb3bc3f03ff7838ef7946a5dc73066e4d8
SHA256 9268d70356dac40fef747421e5c07802d9f65bc9b1e8caabd5b32a7d00d2b3f2
SHA512 f5f0ae60b92e7f668a3116d2ceb8e6a968b6c9914f33c879d082f94be8aad9ed13f61472389ca3f1caea2e9ab3b714e3b9c952a1d494093df295be8a4bd56398