Malware Analysis Report

2024-11-30 06:42

Sample ID 240604-bp17zsgb5y
Target 2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662
SHA256 2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662

Threat Level: Known bad

The file 2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:19

Reported

2024-06-04 01:22

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\chrome\\chrome.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1736 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1736 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe

"C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uROiYPVgyD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uROiYPVgyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94E0.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1736-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/1736-1-0x0000000000E90000-0x0000000000F82000-memory.dmp

memory/1736-2-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1736-3-0x0000000005290000-0x0000000005330000-memory.dmp

memory/1736-4-0x0000000000B60000-0x0000000000B76000-memory.dmp

memory/1736-5-0x0000000000B70000-0x0000000000B7E000-memory.dmp

memory/1736-6-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/1736-7-0x0000000005450000-0x00000000054D4000-memory.dmp

memory/1736-8-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/1736-9-0x0000000074B80000-0x000000007526E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 854e093a33179d19ca587d610a9bc615
SHA1 b6695d28bf8fad3cf201f20a16d47508a94d6f31
SHA256 52d43816b3118665fd0d2447ce7351b86580ea7ece23de49782199bb53a24b6c
SHA512 d4bca07db2e4d70afa3b08d9181920211433a2bf2157a585fe7a4fa1e3c0897d80d740480a79665f1f9620f29cbd179203cd60ef96f6e331bcd0ee38defafe6a

C:\Users\Admin\AppData\Local\Temp\tmp94E0.tmp

MD5 a1299732e05f27783f160fb17c2ddc74
SHA1 c1395a6724db01e648181df7797ed8d1f3b836d3
SHA256 548f8c91d5e763d134d3c586bd44864810d3648d4bbaa82082c21bf933604ae8
SHA512 7dd73461aede4afbf02c49230a4cacbf90ca0172d28fdab6e638d669fa06554ca5bbbfa5b0b9d61baababc932271adbf2fe66a5e9b1264b26cb62486f6a5dcdf

memory/2968-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-34-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-31-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-30-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2968-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2968-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1736-35-0x0000000074B80000-0x000000007526E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:19

Reported

2024-06-04 01:22

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\chrome\\chrome.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4632 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4632 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe

"C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2078ced8d259a0909740f01cf30d5f5127c4dccb399ccf87c6273b1fe2822662.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uROiYPVgyD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uROiYPVgyD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp26C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

memory/4632-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/4632-1-0x0000000000750000-0x0000000000842000-memory.dmp

memory/4632-2-0x0000000005840000-0x0000000005DE4000-memory.dmp

memory/4632-3-0x0000000005290000-0x0000000005322000-memory.dmp

memory/4632-4-0x0000000005460000-0x00000000057B4000-memory.dmp

memory/4632-6-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/4632-5-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4632-7-0x0000000006CF0000-0x0000000006D90000-memory.dmp

memory/4632-8-0x0000000005830000-0x0000000005846000-memory.dmp

memory/4632-9-0x0000000006DC0000-0x0000000006DCE000-memory.dmp

memory/4632-10-0x0000000006DD0000-0x0000000006DE0000-memory.dmp

memory/4632-11-0x0000000006E50000-0x0000000006ED4000-memory.dmp

memory/4632-12-0x0000000009570000-0x000000000960C000-memory.dmp

memory/4632-13-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/4632-14-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3424-20-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3424-19-0x0000000002190000-0x00000000021C6000-memory.dmp

memory/3424-22-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3424-21-0x0000000004BC0000-0x00000000051E8000-memory.dmp

memory/3600-23-0x0000000074AC0000-0x0000000075270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp26C.tmp

MD5 740d57bf4578e50f0f2487c908fc0e4a
SHA1 b07b387b41aca0aeb1cf5ff54ef212969e24abd2
SHA256 12b52cde9b7c286aa2529cad454eef0922a3eebef73cadf8a2f5feb23f6b88d3
SHA512 28a5a282c44ce5c1c053c2775b0cf5b055d7b7d1f17464f327346e185708fbb3c80b8c630607dd026076a87b012b8ffaed85491161f2fe5f06842f33b9607da9

memory/3424-25-0x0000000004A10000-0x0000000004A32000-memory.dmp

memory/3424-26-0x0000000005260000-0x00000000052C6000-memory.dmp

memory/3600-28-0x0000000074AC0000-0x0000000075270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amqvjije.iii.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3424-34-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2400-39-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3600-27-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/3600-49-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4632-51-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3600-52-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

memory/3600-53-0x0000000005B00000-0x0000000005B4C000-memory.dmp

memory/3600-55-0x0000000075320000-0x000000007536C000-memory.dmp

memory/3600-54-0x0000000006A90000-0x0000000006AC2000-memory.dmp

memory/3600-65-0x0000000006A50000-0x0000000006A6E000-memory.dmp

memory/3424-66-0x0000000075320000-0x000000007536C000-memory.dmp

memory/3600-76-0x0000000006AD0000-0x0000000006B73000-memory.dmp

memory/3600-78-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

memory/3600-77-0x0000000007490000-0x0000000007B0A000-memory.dmp

memory/3600-79-0x0000000006E60000-0x0000000006E6A000-memory.dmp

memory/3600-80-0x0000000007070000-0x0000000007106000-memory.dmp

memory/3424-81-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

memory/3600-84-0x0000000007020000-0x000000000702E000-memory.dmp

memory/3424-85-0x0000000007020000-0x0000000007034000-memory.dmp

memory/3424-86-0x0000000007120000-0x000000000713A000-memory.dmp

memory/3424-87-0x0000000007100000-0x0000000007108000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb54f29668d4895d86c5a84520714321
SHA1 b5c66de6582644955922a50efd207936fc306aa1
SHA256 c1c8983472feb7742d40a2e792bb06cce338cc7e57e6fccb9a155408b74c95e5
SHA512 dbf989f65ee65ed0941d14b773a01fce91edd542ca420c376657f928288c7486df9bd4a44b6e11b5cd94ee48f487745ae8f0438d65f45299f271ff907f352d43

memory/3424-93-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3600-94-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2400-95-0x00000000068A0000-0x00000000068F0000-memory.dmp