Malware Analysis Report

2024-11-16 12:13

Sample ID 240723-bjersszajr
Target 3d0ef1a1e637e67c42cac19231df8b0d4d29b04a8c0ed39cde74e327cec9a663
SHA256 3d0ef1a1e637e67c42cac19231df8b0d4d29b04a8c0ed39cde74e327cec9a663
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d0ef1a1e637e67c42cac19231df8b0d4d29b04a8c0ed39cde74e327cec9a663

Threat Level: Known bad

The file 3d0ef1a1e637e67c42cac19231df8b0d4d29b04a8c0ed39cde74e327cec9a663 was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 01:10

Reported

2024-07-23 01:12

Platform

win7-20240704-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 332 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 332 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 332 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\image001.exe

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\image001.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qwyxUYwZbCeXJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qwyxUYwZbCeXJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp"

C:\Users\Admin\AppData\Local\Temp\image001.exe

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

Network

N/A

Files

memory/332-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/332-1-0x0000000000D10000-0x0000000000DD4000-memory.dmp

memory/332-2-0x0000000074BC0000-0x00000000752AE000-memory.dmp

memory/332-3-0x0000000000450000-0x0000000000460000-memory.dmp

memory/332-4-0x0000000000520000-0x000000000052E000-memory.dmp

memory/332-5-0x0000000005B10000-0x0000000005B9E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8f9ca853e4480259bd938f9a097a2cfc
SHA1 6157af149eee4c33d2ae13183d396f393a440b9e
SHA256 a3251514f4bd29e70e25720738d5a5a0756b253d567215c49fad225af08077b3
SHA512 ba1a411a9830b9212686be88075525caa684ffb21d7178c0c0d68f2766905ff8f65f9bb7c1852d8fe748af753f76ff2fcb35d0df2ce26e123c0b206ac7a299b3

C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp

MD5 8a2b4ca554468c17f28317c37e1b99a1
SHA1 c3cccab7c7489fa0527717df9d1b3c20ac992a49
SHA256 1f5bdc306c4016789e9ec51db53ec4ae9f068f4f2f99f2e72fcf705306fd2dfc
SHA512 3249f5876fd3daa0737f2f2c284b8fc8139d9e46cb46e1d7e6b9f89f613eb75bdce4fd075467e432befd12c48ad66d3bfbc89b7e1ec43c2faa7d93cccb961df1

memory/2856-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2856-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/332-36-0x0000000074BC0000-0x00000000752AE000-memory.dmp

C:\Windows\svchost.com

MD5 a84134e51db793d68b3b1a8718eb3b32
SHA1 0ff8ae348f19210799b74168610771d019e6ac26
SHA256 88a5de78b70d1164451d38d1415bbba1e374ffca345c089701e6a750212960f6
SHA512 49bb49e190f435708fb2cc8461eace217d883a202a157f812b4277afb582a47db9944abaf7313d909958bfa0b40ee57fbacb844327eeab46ba0b5b4d37b15ec8

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QWYXUY~1.EXE

MD5 31c87737ea27257492b80ffe38db4a02
SHA1 202620c58aee7e3d873f344196fa43c5ad863baf
SHA256 16ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
SHA512 f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 01:10

Reported

2024-07-23 01:13

Platform

win10v2004-20240709-en

Max time kernel

137s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4816 set thread context of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\image001.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\image001.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Windows\SysWOW64\schtasks.exe
PID 4816 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe
PID 4816 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\image001.exe C:\Users\Admin\AppData\Local\Temp\image001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\image001.exe

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\image001.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qwyxUYwZbCeXJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qwyxUYwZbCeXJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2EB.tmp"

C:\Users\Admin\AppData\Local\Temp\image001.exe

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

C:\Users\Admin\AppData\Local\Temp\image001.exe

"C:\Users\Admin\AppData\Local\Temp\image001.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4816-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/4816-1-0x0000000000FD0000-0x0000000001094000-memory.dmp

memory/4816-2-0x00000000060E0000-0x0000000006684000-memory.dmp

memory/4816-3-0x0000000005B30000-0x0000000005BC2000-memory.dmp

memory/4816-4-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

memory/4816-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4816-6-0x0000000005E00000-0x0000000005E9C000-memory.dmp

memory/4816-7-0x0000000008850000-0x0000000008860000-memory.dmp

memory/4816-8-0x0000000006D90000-0x0000000006D9E000-memory.dmp

memory/4816-9-0x0000000006DD0000-0x0000000006E5E000-memory.dmp

memory/1204-14-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/1204-15-0x0000000005A60000-0x0000000006088000-memory.dmp

memory/1204-16-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1204-18-0x0000000005720000-0x0000000005742000-memory.dmp

memory/2536-19-0x0000000005350000-0x00000000053B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF2EB.tmp

MD5 3b0ca8262bd10ceb95a5c6e3607e6df5
SHA1 07987d58f031301353a3a0d40709aa42f32dabf9
SHA256 8913eedeae091e8951416759ca6ac52f3496be0afa95012a42e0fc69e3cbc4d0
SHA512 a81944d1db5e7a7549b13cb945eb1c6952f16d5a4919c214adc2098e73f7bc75571a9c01c753bd3b41dd5c51996425115ba9a7f90f3b01b11fd1ffd27f2ca8ba

memory/1204-20-0x0000000005830000-0x0000000005896000-memory.dmp

memory/1204-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2536-22-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bumaexfm.ulv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4352-45-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4352-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2536-48-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1204-44-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4816-41-0x00000000747CE000-0x00000000747CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\image001.exe

MD5 eab1cbc9e7da6d32d557dfc901918f72
SHA1 c8c710ccda27bbf5f82b36aa387c1c8a9f14b5d2
SHA256 9343e70417d6d5d6db49c9fa263337c953183ec07f3ee524a43e6d3976cf5dd3
SHA512 aca29afd5a5fb66aa9d4facd5d4bd6fe5b20ae2ac6987fc998ae28407cb6f2983071a1ba0d831baaa72c5a0df0a319065bd08f6c71e3baa993f183f5edd9ceb2

memory/2536-40-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Windows\svchost.com

MD5 a84134e51db793d68b3b1a8718eb3b32
SHA1 0ff8ae348f19210799b74168610771d019e6ac26
SHA256 88a5de78b70d1164451d38d1415bbba1e374ffca345c089701e6a750212960f6
SHA512 49bb49e190f435708fb2cc8461eace217d883a202a157f812b4277afb582a47db9944abaf7313d909958bfa0b40ee57fbacb844327eeab46ba0b5b4d37b15ec8

memory/1204-42-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/4816-61-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1204-62-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/1204-60-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/1204-64-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/1204-63-0x00000000079A0000-0x00000000079D2000-memory.dmp

memory/1204-74-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

memory/1204-75-0x00000000079E0000-0x0000000007A83000-memory.dmp

memory/1204-76-0x0000000008160000-0x00000000087DA000-memory.dmp

memory/1204-77-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/2536-79-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/1204-99-0x0000000007B80000-0x0000000007B8A000-memory.dmp

memory/1204-103-0x0000000007D90000-0x0000000007E26000-memory.dmp

memory/1204-104-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/1204-133-0x0000000007D40000-0x0000000007D4E000-memory.dmp

memory/1204-140-0x0000000007D50000-0x0000000007D64000-memory.dmp

memory/1204-150-0x0000000007E50000-0x0000000007E6A000-memory.dmp

memory/1204-151-0x0000000007E30000-0x0000000007E38000-memory.dmp

memory/1204-169-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 848d89ad9c658f8b2d26d53fdb2a132b
SHA1 438b8c0eca827d07cc11dc990f7c9344a2fe4943
SHA256 c32d7d1d2ccb84a9a9a6db165b9ac0447d9cfbd2d55e8a25f6fa52462e44683b
SHA512 f96d7f45a4805bb4adc3636da7ed71647641d73dc9eaaa359a35ef23f535a87b0d511666a012c6ff59ff40457ceb408a931e80bcedcb84ab3991fcc9720ffd2f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Roaming\QWYXUY~1.EXE

MD5 31c87737ea27257492b80ffe38db4a02
SHA1 202620c58aee7e3d873f344196fa43c5ad863baf
SHA256 16ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
SHA512 f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9

memory/2536-176-0x00000000747C0000-0x0000000074F70000-memory.dmp