Malware Analysis Report

2024-09-22 21:50

Sample ID 240201-j7m23shcel
Target 8663ed0caec9adcb980a4a7ea23e7984
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750

Threat Level: Known bad

The file 8663ed0caec9adcb980a4a7ea23e7984 was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 08:18

Reported

2024-02-01 08:21

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2064 set thread context of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2064 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2944 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WerFault.exe
PID 2944 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11A.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 112

Network

N/A

Files

memory/2064-1-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/2064-0-0x0000000000830000-0x0000000000982000-memory.dmp

memory/2064-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2064-3-0x0000000000350000-0x0000000000362000-memory.dmp

memory/2064-4-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/2064-5-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2064-6-0x0000000007320000-0x00000000073C0000-memory.dmp

memory/2064-7-0x00000000005B0000-0x00000000005E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp11A.tmp

MD5 54fa8bc5bbafc3584dbfa158d162cd17
SHA1 f821b3a2bc1eca5d0b168a0adb74ccb4ab91647c
SHA256 98cfd9fea95710566df443a797c3b2194c2ba2bb3538993bc655aaf7737d5eca
SHA512 74ee2b117a814ea4b75bee425a9c6cb9d894c3831584c9625c5a4e7ea936444f4b40114a3317384e3c7f85feaad39e3e9e20804674cef42b50e2988f0cba4b18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1F5MMQFBI360BKZ38KLI.temp

MD5 4f1ce12a4b1dafd88533a8e9ff43a54b
SHA1 4e026cbc27aa930e04e8f0393802959b79e4341d
SHA256 cbfadc2117af87deca05322c52a9e0a0537a0b3c2c739f98feb2de88fb6e9850
SHA512 48dc884b1dc9691d9a0affbe2e5976ebf61d6d4012ac34d5af716e932dd7bcd1fef2a32498d75a7667d6c1a355bd968423221201e44569a6799a7650c593027c

memory/2944-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2944-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2944-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2064-36-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/2588-37-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/1152-38-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2588-39-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/1152-40-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2588-41-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2908-42-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2908-43-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2908-44-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1152-49-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/2588-48-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2908-50-0x0000000002590000-0x00000000025D0000-memory.dmp

memory/1152-47-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/1152-46-0x00000000025E0000-0x0000000002620000-memory.dmp

memory/2588-45-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2588-53-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/2908-52-0x000000006FC30000-0x00000000701DB000-memory.dmp

memory/1152-51-0x000000006FC30000-0x00000000701DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 08:18

Reported

2024-02-01 08:21

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2368 set thread context of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2368 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF48.tmp"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1328

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 fine.le-pearl.com udp
US 108.167.158.96:80 fine.le-pearl.com tcp
US 8.8.8.8:53 96.158.167.108.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2368-0-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/2368-1-0x0000000000230000-0x0000000000382000-memory.dmp

memory/2368-2-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/2368-3-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/2368-4-0x0000000005060000-0x0000000005070000-memory.dmp

memory/2368-5-0x0000000004D70000-0x0000000004D7A000-memory.dmp

memory/2368-6-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/2368-7-0x00000000027F0000-0x0000000002802000-memory.dmp

memory/2368-8-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/2368-9-0x0000000005060000-0x0000000005070000-memory.dmp

memory/2368-10-0x0000000007BE0000-0x0000000007C80000-memory.dmp

memory/2368-11-0x0000000000830000-0x0000000000868000-memory.dmp

memory/3612-14-0x00000000049F0000-0x0000000004A26000-memory.dmp

memory/3612-16-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/3612-17-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3612-19-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3612-20-0x0000000005190000-0x00000000057B8000-memory.dmp

memory/388-21-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/388-22-0x0000000004530000-0x0000000004540000-memory.dmp

memory/388-23-0x0000000004530000-0x0000000004540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF48.tmp

MD5 bfef3e0f4a9459d614280e57d66331fd
SHA1 82db44dbeb70eedbc3fad4a6b5b1a7aa45067f07
SHA256 aecc57f67936fe509d09e8c82743e056a3d2b0d20d3ab5cd39d9e654b525f4de
SHA512 6f2b0edce0c944760721e5cb6e636babf6ceed54cfa220e8afcebde01fb2c2c9ead37df97eaa102af7324b939a7a22dc4a5073903b4adbad2696aa211bebf55e

memory/388-25-0x0000000004A30000-0x0000000004A52000-memory.dmp

memory/388-26-0x00000000051A0000-0x0000000005206000-memory.dmp

memory/388-27-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/3808-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3808-29-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jx5o5fh.fct.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3808-41-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3808-42-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3612-51-0x00000000059B0000-0x0000000005D04000-memory.dmp

memory/2368-52-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4524-53-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/4524-54-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/4524-55-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3612-65-0x0000000004D40000-0x0000000004D5E000-memory.dmp

memory/388-66-0x0000000005A60000-0x0000000005AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suspendedpage[1].htm

MD5 1842eed13fddc700a50adada08a0f84d
SHA1 5e7b6997ffaf89afdb803de2e9231cd8886621ae
SHA256 47ac9eef48022403111f9cef6871af594079acdd88da83e7d2b2a92fa47f7368
SHA512 0d0086367e60782f81324abc5a79ae4c19aaa96aeb7aead23d4ca2dde0af5cc7cf3cc9b6e391b95405ed97a136fcd99af3f868a6027b89b5fcc47cff52272b1d

memory/3612-81-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4524-84-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3612-86-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/388-87-0x000000007FD60000-0x000000007FD70000-memory.dmp

memory/388-90-0x0000000071330000-0x000000007137C000-memory.dmp

memory/3612-110-0x000000007FA30000-0x000000007FA40000-memory.dmp

memory/3612-111-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/4524-92-0x0000000071330000-0x000000007137C000-memory.dmp

memory/4524-91-0x000000007F8B0000-0x000000007F8C0000-memory.dmp

memory/3612-89-0x0000000071330000-0x000000007137C000-memory.dmp

memory/4524-88-0x0000000006ED0000-0x0000000006F02000-memory.dmp

memory/388-122-0x0000000006C60000-0x0000000006D03000-memory.dmp

memory/4524-123-0x0000000008270000-0x00000000088EA000-memory.dmp

memory/388-124-0x0000000006D50000-0x0000000006D6A000-memory.dmp

memory/4524-125-0x0000000007C90000-0x0000000007C9A000-memory.dmp

memory/388-126-0x0000000006FD0000-0x0000000007066000-memory.dmp

memory/4524-127-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/3808-128-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3612-129-0x0000000007530000-0x000000000753E000-memory.dmp

memory/4524-130-0x0000000007E60000-0x0000000007E74000-memory.dmp

memory/388-131-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/388-132-0x0000000007070000-0x0000000007078000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b3838f4190c655faff2b16381db2da0
SHA1 07ef36fbf036addeb4e3efe56d9d31d68250da2a
SHA256 bd6ff03e889eb9055996414672e89cd161a76d929bcf8344c80307319c19cf67
SHA512 7a0196559971e9338c18931742ddb844313edc9550fc1e30fc17f6f851ed10008658b94d9c6e26423aa622fdbfd7c68917c65ce11d5750a7534a85f0c9f94e36

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4524-140-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/388-142-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/3612-141-0x0000000074B40000-0x00000000752F0000-memory.dmp