Malware Analysis Report

2025-08-05 16:16

Sample ID 240521-b86a2sec87
Target 431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee
SHA256 431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee

Threat Level: Known bad

The file 431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 01:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 01:49

Reported

2024-05-21 01:52

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 1424 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 1424 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

Processes

C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qDfIBEcYE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDfIBEcYE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp"

C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 premium162.web-hosting.com udp
US 162.0.235.253:587 premium162.web-hosting.com tcp
US 8.8.8.8:53 253.235.0.162.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1424-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1424-1-0x00000000009D0000-0x0000000000A9A000-memory.dmp

memory/1424-2-0x0000000005AD0000-0x0000000006074000-memory.dmp

memory/1424-3-0x0000000005470000-0x0000000005502000-memory.dmp

memory/1424-5-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1424-4-0x0000000005640000-0x000000000564A000-memory.dmp

memory/1424-6-0x0000000007E70000-0x0000000007E92000-memory.dmp

memory/1424-7-0x00000000057D0000-0x00000000057DC000-memory.dmp

memory/1424-8-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/1424-9-0x0000000008280000-0x0000000008304000-memory.dmp

memory/1424-10-0x00000000083A0000-0x000000000843C000-memory.dmp

memory/1424-11-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1424-12-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3932-17-0x0000000002920000-0x0000000002956000-memory.dmp

memory/3932-18-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4044-19-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/4044-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4044-21-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3932-24-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/3932-25-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp

MD5 f0389c32545828d5fc081d54ed249919
SHA1 dcd9a82802f25031782c77ff5f2c3a6759831b4a
SHA256 5c7c320019f4ba505749c5e0ab1ca14bbae6c6712c2e572014a1eff46f08724c
SHA512 3714f596804e79c268baec0e38d02bb1aed2b2be9b800d509f90f168488ba8e69196d67c11af186ecc1369c78cba2f1f6c48b136a2af1f6e7a077edb815a2c5b

memory/4044-36-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/4044-35-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/2488-47-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3932-46-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xbbals0.l24.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3932-23-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/1424-49-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4044-50-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

memory/4044-51-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/4044-52-0x0000000006E40000-0x0000000006E72000-memory.dmp

memory/4044-53-0x0000000074FA0000-0x0000000074FEC000-memory.dmp

memory/3932-64-0x0000000074FA0000-0x0000000074FEC000-memory.dmp

memory/4044-63-0x0000000007080000-0x000000000709E000-memory.dmp

memory/3932-74-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/3932-75-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/3932-76-0x0000000007560000-0x000000000757A000-memory.dmp

memory/3932-77-0x00000000075D0000-0x00000000075DA000-memory.dmp

memory/3932-78-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/4044-79-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/3932-80-0x0000000007790000-0x000000000779E000-memory.dmp

memory/3932-81-0x00000000077A0000-0x00000000077B4000-memory.dmp

memory/3932-82-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/4044-83-0x0000000007500000-0x0000000007508000-memory.dmp

memory/2488-84-0x00000000065F0000-0x0000000006640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d913d428c05c6e110838d1d03eabd8de
SHA1 f1d0f2bde80488df20d2dd477c292f81f9bf8979
SHA256 323da5d5d9bad5326755aa68b647a9436e1149d227d9e9067409aeb245df1961
SHA512 a91ead2d73b31355b03740355e236abbdeea80b40ed2bca019ef2994814f9f65e62b324c2a3d0270a722167e658efb7ad761a423f9847f7ba8c1f41b988f4997

memory/4044-90-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3932-91-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 01:49

Reported

2024-05-21 01:52

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

Processes

C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qDfIBEcYE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDfIBEcYE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp"

C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe

"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2204-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2204-1-0x00000000012A0000-0x000000000136A000-memory.dmp

memory/2204-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2204-3-0x0000000000A40000-0x0000000000A62000-memory.dmp

memory/2204-4-0x00000000008F0000-0x00000000008FC000-memory.dmp

memory/2204-5-0x00000000007E0000-0x00000000007F0000-memory.dmp

memory/2204-6-0x0000000005D80000-0x0000000005E04000-memory.dmp

memory/2204-7-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2204-8-0x0000000074B10000-0x00000000751FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp

MD5 76b316a1aad2eac0dd8b412955c248ad
SHA1 191dd93ae43ee246d3e5374dfa6bf5bb685706c6
SHA256 ccc42319201a2491180ef0225b87be008bf28e19fffb731afb49f0e1622db1cf
SHA512 4b7bcf90099ca48e2e060dd46d3b401cd8536e25b34bce63a9613df4daaff19470d1cb57c6bc577559277688992175283b9ce6466b7b567a950e76e51b69a8f3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4c2052a2acccf7db1171701e084e39d5
SHA1 de2bb547021fad9cb568dbb1817372a27a277a1b
SHA256 00b2dfbe8f4690d91b674c2772cf3754defe383f329b14a5d6922ab08575ba8b
SHA512 d4b534d560fe002497707334d9eb96aec33c8f63b38b85ed4bc718b79569ae29c35198d01bed0309680e216dd69b4f4e84aa3f2f0585ab171c461f38424e887e

memory/1356-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1356-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1356-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1356-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1356-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2204-33-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/1356-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1356-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1356-22-0x0000000000400000-0x0000000000442000-memory.dmp