Malware Analysis Report

2024-11-30 21:54

Sample ID 230207-aw5y3sgf64
Target 9034968482.zip
SHA256 f78bda643bc02054908c347ed64d7244d6da34cd8798aadf6e01313c8803c5bb
Tags
purecrypter downloader loader agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f78bda643bc02054908c347ed64d7244d6da34cd8798aadf6e01313c8803c5bb

Threat Level: Known bad

The file 9034968482.zip was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader agenttesla keylogger persistence spyware stealer trojan

AgentTesla

PureCrypter

AgentTesla payload

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-07 00:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:41

Platform

win7-20220901-en

Max time kernel

39s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe

"C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1208

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp

Files

memory/1724-54-0x0000000001150000-0x0000000001174000-memory.dmp

memory/1724-55-0x0000000075111000-0x0000000075113000-memory.dmp

memory/748-56-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:40

Platform

win10v2004-20220812-en

Max time kernel

98s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe

"C:\Users\Admin\AppData\Local\Temp\5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1388 -ip 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1696

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
US 52.168.112.66:443 tcp
US 8.252.51.254:80 tcp
NL 104.80.225.205:443 tcp

Files

memory/1388-132-0x0000000000040000-0x0000000000064000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:40

Platform

win7-20221111-en

Max time kernel

27s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe

"C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1192

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp

Files

memory/1256-54-0x0000000000930000-0x0000000000938000-memory.dmp

memory/1256-55-0x0000000076531000-0x0000000076533000-memory.dmp

memory/1164-56-0x0000000000000000-mapping.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:40

Platform

win10v2004-20220812-en

Max time kernel

87s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe

"C:\Users\Admin\AppData\Local\Temp\a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1696

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
US 20.44.10.122:443 tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp

Files

memory/3172-132-0x0000000000760000-0x0000000000768000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:40

Platform

win7-20220901-en

Max time kernel

126s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSoftware = "\"C:\\Users\\Admin\\AppData\\Roaming\\Updates\\MicrosoftSoftware.exe\"" C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1252 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe

"C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp

Files

memory/1252-54-0x0000000001100000-0x0000000001122000-memory.dmp

memory/1252-55-0x0000000075931000-0x0000000075933000-memory.dmp

memory/1252-56-0x0000000005D10000-0x0000000005DC6000-memory.dmp

memory/1252-57-0x00000000003C0000-0x00000000003DE000-memory.dmp

memory/516-58-0x0000000000000000-mapping.dmp

memory/516-60-0x000000006ED10000-0x000000006F2BB000-memory.dmp

memory/516-61-0x000000006ED10000-0x000000006F2BB000-memory.dmp

memory/516-62-0x000000006ED10000-0x000000006F2BB000-memory.dmp

memory/1436-63-0x0000000000000000-mapping.dmp

memory/956-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ec2465ea8b778efc1cfdbdcaad8deda2
SHA1 7eead64d9b54ef7d098f08679c43175602600765
SHA256 d3cfc262f0d708a297058d6f948b71c5c7623fd6d70e886d188c5ab1bdc7c14b
SHA512 f4a3ef178f44a61af0991a4a8a93bfa7219c6a6a4006acc4218d4f63fe78b18be0b84cb8b840a095f7bdd6bb8c68cdd7958aec5c2502154c20cd8644da656ea1

memory/956-67-0x000000006ECF0000-0x000000006F29B000-memory.dmp

memory/1852-68-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-69-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-71-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-73-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-72-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-74-0x00000000004374CE-mapping.dmp

memory/1852-76-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1852-78-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-02-07 00:34

Reported

2023-02-07 00:40

Platform

win10v2004-20220812-en

Max time kernel

108s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftSoftware = "\"C:\\Users\\Admin\\AppData\\Roaming\\Updates\\MicrosoftSoftware.exe\"" C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1060 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe

"C:\Users\Admin\AppData\Local\Temp\c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 52.182.143.210:443 tcp

Files

memory/1060-132-0x0000000000230000-0x0000000000252000-memory.dmp

memory/1060-133-0x0000000005FB0000-0x0000000005FD2000-memory.dmp

memory/4224-134-0x0000000000000000-mapping.dmp

memory/4224-135-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/4224-136-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/4224-137-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/4224-138-0x00000000058D0000-0x0000000005936000-memory.dmp

memory/4224-139-0x0000000006570000-0x000000000658E000-memory.dmp

memory/4224-140-0x0000000007BB0000-0x000000000822A000-memory.dmp

memory/4224-141-0x0000000006A80000-0x0000000006A9A000-memory.dmp

memory/1512-142-0x0000000000000000-mapping.dmp

memory/2740-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e351a4a51817d643e795ba5d308ed35
SHA1 111d74f25fa60f74a99e7ccd91a3b0e1c130732e
SHA256 7759a6d7ab88a49e722f987bd8b779234a1887fb90c81063e7fb2d6b5b072869
SHA512 ae352993b955ef38e3ea01a7eaa7199bfbecfa25acfcb175627efc4623fc478d1283f9cb04939cf0fbe948c08a5aae931ff6c113e713c93aa9a0bdbda9d269cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4184-147-0x0000000000000000-mapping.dmp

memory/4184-148-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4184-149-0x0000000005810000-0x0000000005DB4000-memory.dmp

memory/4184-150-0x00000000050F0000-0x0000000005182000-memory.dmp

memory/2740-151-0x0000000006F50000-0x0000000006F82000-memory.dmp

memory/2740-152-0x000000006F4F0000-0x000000006F53C000-memory.dmp

memory/2740-154-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

memory/4184-153-0x0000000005360000-0x00000000053FC000-memory.dmp

memory/2740-155-0x0000000007D00000-0x0000000007D0A000-memory.dmp

memory/2740-156-0x0000000007F50000-0x0000000007FE6000-memory.dmp

memory/2740-157-0x00000000067D0000-0x00000000067DE000-memory.dmp

memory/2740-158-0x0000000007EB0000-0x0000000007ECA000-memory.dmp

memory/2740-159-0x0000000007E90000-0x0000000007E98000-memory.dmp