Malware Analysis Report

2024-10-23 19:42

Sample ID 240202-cbhzxsdeam
Target cdcfa8aab8a4766ddb88df4635104d83.bin
SHA256 e28762be9dedb8c6d2499106c684fed3b554b6f37341c6d119a232570e146c51
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e28762be9dedb8c6d2499106c684fed3b554b6f37341c6d119a232570e146c51

Threat Level: Known bad

The file cdcfa8aab8a4766ddb88df4635104d83.bin was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 01:54

Reported

2024-02-02 01:56

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

Signatures

DarkCloud

stealer darkcloud

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp"

C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

Network

N/A

Files

memory/836-0-0x0000000000140000-0x000000000023C000-memory.dmp

memory/836-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/836-2-0x00000000072D0000-0x0000000007310000-memory.dmp

memory/836-3-0x0000000000560000-0x0000000000578000-memory.dmp

memory/836-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/836-5-0x0000000000580000-0x000000000058C000-memory.dmp

memory/836-6-0x0000000007930000-0x00000000079D2000-memory.dmp

memory/836-7-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/836-8-0x00000000072D0000-0x0000000007310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBB15.tmp

MD5 463cd327d3e513344550f47f1a84e4b0
SHA1 cab2121180c408fe2b13e0763f6eafad10fb8a4a
SHA256 985f73850f31683037816aa9b2bada09230a3231f1a427ccd695b02ab270dcdf
SHA512 cb6cdbd06cb8a204be1bc7835aa8b0d9aeca6697c349b4a30ed7978576a57813bd4ac7942fda873f5bde7c5772419a206833a5688cf89c41f9058d1ce847b707

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZUOG1V122SN6TSOV4LT.temp

MD5 841c0b3daee71608da23fc8fe88267a0
SHA1 ea97983481b974d9f6b70f2349371d45fd4ac398
SHA256 7df348e2d08d8a1765a11715f993e6f0ff0b1d95dc096f89abe1c117febeebe4
SHA512 b28889bd979f36b54276f17774ce519145b5931dd9865c042e2cdc6848ac739b93e85128bceb4c9218868fbf39d05788749f286d17e2d1e579fe1d95e131d85a

memory/1696-21-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1696-23-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1696-25-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1696-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1696-29-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2700-31-0x000000006F340000-0x000000006F8EB000-memory.dmp

memory/2872-33-0x000000006F340000-0x000000006F8EB000-memory.dmp

memory/2872-34-0x00000000025D0000-0x0000000002610000-memory.dmp

memory/2700-35-0x0000000002130000-0x0000000002170000-memory.dmp

memory/2872-36-0x000000006F340000-0x000000006F8EB000-memory.dmp

memory/2700-37-0x000000006F340000-0x000000006F8EB000-memory.dmp

memory/2700-38-0x0000000002130000-0x0000000002170000-memory.dmp

memory/836-32-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2700-39-0x000000006F340000-0x000000006F8EB000-memory.dmp

memory/2872-40-0x000000006F340000-0x000000006F8EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 01:54

Reported

2024-02-02 01:56

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

Signatures

DarkCloud

stealer darkcloud

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe
PID 4356 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"

C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe

"C:\Users\Admin\AppData\Local\Temp\0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4356-0-0x0000000000B70000-0x0000000000C6C000-memory.dmp

memory/4356-1-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/4356-2-0x0000000008080000-0x0000000008624000-memory.dmp

memory/4356-3-0x0000000007B70000-0x0000000007C02000-memory.dmp

memory/4356-4-0x0000000007E00000-0x0000000007E10000-memory.dmp

memory/4356-5-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4356-6-0x0000000007E10000-0x0000000007EAC000-memory.dmp

memory/4356-7-0x0000000002EA0000-0x0000000002EB8000-memory.dmp

memory/4356-8-0x0000000002ED0000-0x0000000002ED8000-memory.dmp

memory/4356-9-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

memory/4356-10-0x0000000009800000-0x00000000098A2000-memory.dmp

memory/4356-11-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/4356-12-0x0000000007E00000-0x0000000007E10000-memory.dmp

memory/5076-17-0x0000000002FF0000-0x0000000003026000-memory.dmp

memory/5076-18-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/5076-19-0x0000000003060000-0x0000000003070000-memory.dmp

memory/5076-21-0x0000000005AD0000-0x00000000060F8000-memory.dmp

memory/5076-20-0x0000000003060000-0x0000000003070000-memory.dmp

memory/884-22-0x0000000002100000-0x0000000002110000-memory.dmp

memory/884-25-0x0000000004A80000-0x0000000004AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp

MD5 d70d614a9877e1b8878917f3b6d41e41
SHA1 7f2b6b549b9b8c5ca5d638b714040ca8a2eca183
SHA256 506eef5a7758c27165f90c53beec751ff3a8a69bd7a3a6143422880b7eec2eb8
SHA512 aed7a2beb78fc5ed3fe83d85d06f61ee948d3c2b1562429ada451f0604c14e6c8a0e6ee370ff1a5995ed5dd7e5ce5fe81c0d1861b60d7674ace6c720212f712d

memory/884-24-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/5076-26-0x0000000006210000-0x0000000006276000-memory.dmp

memory/884-33-0x0000000005430000-0x0000000005496000-memory.dmp

memory/3540-32-0x0000000000400000-0x0000000000463000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0fapchk.py4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3540-44-0x0000000000400000-0x0000000000463000-memory.dmp

memory/884-50-0x00000000055A0000-0x00000000058F4000-memory.dmp

memory/4356-51-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/5076-54-0x0000000006900000-0x000000000691E000-memory.dmp

memory/5076-55-0x0000000006940000-0x000000000698C000-memory.dmp

memory/884-56-0x0000000002100000-0x0000000002110000-memory.dmp

memory/5076-57-0x0000000003060000-0x0000000003070000-memory.dmp

memory/5076-58-0x0000000006ED0000-0x0000000006F02000-memory.dmp

memory/5076-72-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

memory/5076-82-0x0000000007900000-0x00000000079A3000-memory.dmp

memory/884-62-0x000000007EE70000-0x000000007EE80000-memory.dmp

memory/884-61-0x0000000071700000-0x000000007174C000-memory.dmp

memory/5076-60-0x0000000071700000-0x000000007174C000-memory.dmp

memory/5076-59-0x000000007FB60000-0x000000007FB70000-memory.dmp

memory/884-84-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/5076-83-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/5076-85-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/884-86-0x0000000007000000-0x0000000007096000-memory.dmp

memory/884-87-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/884-88-0x0000000006FB0000-0x0000000006FBE000-memory.dmp

memory/5076-89-0x0000000007E50000-0x0000000007E64000-memory.dmp

memory/884-90-0x00000000070C0000-0x00000000070DA000-memory.dmp

memory/5076-91-0x0000000007F30000-0x0000000007F38000-memory.dmp

memory/5076-95-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/884-94-0x0000000074F10000-0x00000000756C0000-memory.dmp

memory/3540-96-0x0000000000400000-0x0000000000463000-memory.dmp