Malware Analysis Report

2024-11-30 06:42

Sample ID 240604-bqp64sgb8v
Target 3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8
SHA256 3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8

Threat Level: Known bad

The file 3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:21

Reported

2024-06-04 01:23

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\XSafpauirD = "C:\\Users\\Admin\\AppData\\Roaming\\XSafpauirD\\XSafpauirD.exe" C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2984 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YRLaftsq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRLaftsq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp658B.tmp"

C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2984-0-0x000000007419E000-0x000000007419F000-memory.dmp

memory/2984-1-0x00000000001E0000-0x000000000033C000-memory.dmp

memory/2984-2-0x0000000074190000-0x000000007487E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar265C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2984-100-0x0000000005E20000-0x0000000005EF4000-memory.dmp

memory/2984-101-0x0000000001F50000-0x0000000001F66000-memory.dmp

memory/2984-102-0x0000000001F60000-0x0000000001F6E000-memory.dmp

memory/2984-103-0x0000000001F80000-0x0000000001F90000-memory.dmp

memory/2984-104-0x00000000068F0000-0x00000000069A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp658B.tmp

MD5 46cf0aaad2815dbbcb68b15cb43fda81
SHA1 8361cc3d77b454d11cd9810dedfe81a9e71f41cf
SHA256 7c3bccc7137754e63e9cb2eea0c7b8f52f3e18dafc8f3c31bad7e31c92eba8c7
SHA512 a5a220dcb8e675aff0245eda8cab6b65ff9a890dabc23b7d1ae467944782c228acdad4b19850d6748647be0cb122a21aec1154caf99a422804f7b586f5838d9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 46f8142480de52481578ad8e8b52eba2
SHA1 98fb0879dd9d90a317d180355d448585b601d95c
SHA256 6edcee0d9a541010058369696944d94f432271f78896c5bc148e25855b93d56e
SHA512 9fba885e174b194ffb9d491b373b0aafd4c9ea39b001012b224ce3def17234df365e3709a370ac1631c6c424a056ff301ff13073471328ad551f2e723aadc484

memory/1944-117-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-121-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-119-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-128-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-127-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-126-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1944-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1944-123-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2984-129-0x0000000074190000-0x000000007487E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XSafpauirD\XSafpauirD.exe

MD5 2164f0691f1a2232b9258977dee1388b
SHA1 0fb7ad6253c9044d4b0fab60caaa4eeacb24aa2f
SHA256 3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8
SHA512 78693dc2bf1acac9cbd0d8a18fe5ec8b8815c5b3a7e5c3f920fa11d737e5ffaf7d019b79873f934bee348536d25e402662872efd7fcfa7540ba4919a69acc087

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:21

Reported

2024-06-04 01:23

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XSafpauirD = "C:\\Users\\Admin\\AppData\\Roaming\\XSafpauirD\\XSafpauirD.exe" C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe
PID 2832 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YRLaftsq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YRLaftsq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA623.tmp"

C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe

"C:\Users\Admin\AppData\Local\Temp\3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 mail.taqwaknitwear.com udp
AU 103.20.200.209:587 mail.taqwaknitwear.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/2832-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/2832-1-0x0000000000820000-0x000000000097C000-memory.dmp

memory/2832-2-0x0000000005830000-0x0000000005DD4000-memory.dmp

memory/2832-3-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/2832-4-0x0000000005DE0000-0x0000000006134000-memory.dmp

memory/2832-5-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/2832-6-0x0000000005610000-0x000000000561A000-memory.dmp

memory/2832-7-0x00000000069A0000-0x0000000006A74000-memory.dmp

memory/2832-8-0x00000000056E0000-0x00000000056F6000-memory.dmp

memory/2832-9-0x0000000006260000-0x000000000626E000-memory.dmp

memory/2832-10-0x0000000006270000-0x0000000006280000-memory.dmp

memory/2832-11-0x0000000006AD0000-0x0000000006B88000-memory.dmp

memory/2832-12-0x0000000006F20000-0x0000000006FBC000-memory.dmp

memory/1340-17-0x00000000024F0000-0x0000000002526000-memory.dmp

memory/1340-18-0x0000000004F80000-0x00000000055A8000-memory.dmp

memory/1340-19-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1340-20-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1340-21-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/4484-22-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/4484-23-0x00000000746B0000-0x0000000074E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA623.tmp

MD5 55da238a3cd3a391d335566ddb97b461
SHA1 3b8a89126d542f8080234c2716c2b901947a5d64
SHA256 71e1d4c9ffedacf92516400f1e03859bfec98536f465b14b32605b6f32ae6c2d
SHA512 2eddbc416700c1443bda7fa870312a314c3f95aeaee9520036058df99f027ef576861e5d788f4c72c71e6309817f5d5753e50ec0600e759b0f6477c22062d8d8

memory/1340-25-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/1340-27-0x0000000005620000-0x0000000005686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1c5zuz3.ivg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1340-26-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/2364-46-0x0000000000400000-0x0000000000476000-memory.dmp

memory/4484-49-0x0000000006140000-0x000000000618C000-memory.dmp

memory/4484-48-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/2832-50-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1340-51-0x0000000006E10000-0x0000000006E42000-memory.dmp

memory/1340-52-0x000000006F960000-0x000000006F9AC000-memory.dmp

memory/1340-63-0x00000000063F0000-0x000000000640E000-memory.dmp

memory/1340-73-0x0000000007050000-0x00000000070F3000-memory.dmp

memory/4484-62-0x000000006F960000-0x000000006F9AC000-memory.dmp

memory/4484-74-0x0000000007A10000-0x000000000808A000-memory.dmp

memory/1340-75-0x0000000007140000-0x000000000715A000-memory.dmp

memory/1340-76-0x00000000071B0000-0x00000000071BA000-memory.dmp

memory/4484-77-0x0000000007650000-0x00000000076E6000-memory.dmp

memory/1340-78-0x0000000007340000-0x0000000007351000-memory.dmp

memory/1340-79-0x0000000007370000-0x000000000737E000-memory.dmp

memory/1340-80-0x0000000007380000-0x0000000007394000-memory.dmp

memory/1340-81-0x0000000007480000-0x000000000749A000-memory.dmp

memory/4484-82-0x00000000076F0000-0x00000000076F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\XSafpauirD\XSafpauirD.exe

MD5 2164f0691f1a2232b9258977dee1388b
SHA1 0fb7ad6253c9044d4b0fab60caaa4eeacb24aa2f
SHA256 3553821249d145fd1b5b1d418a72e22506d477ae0c09d047f50016656eb586e8
SHA512 78693dc2bf1acac9cbd0d8a18fe5ec8b8815c5b3a7e5c3f920fa11d737e5ffaf7d019b79873f934bee348536d25e402662872efd7fcfa7540ba4919a69acc087

memory/1340-87-0x00000000746B0000-0x0000000074E60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8dd2c39a87641c80cf58dab2f8c64364
SHA1 7f3b308aa31d2b122a850a5e01aeeec086c2fb27
SHA256 20749f57d39baef8f99ab5165e9099cfa4e113b67a6f7ad71291f9f74fadcfb7
SHA512 e66e72cd06e14087fb4556fbae21df5ea8ea9070e5927f2f2c279cf50ba0b41e1671c4f29d19420ddb9c268dfa992ca39bbd1ea057a22a86da915d435f446da0

memory/4484-91-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/2364-92-0x0000000006450000-0x00000000064A0000-memory.dmp