Malware Analysis Report

2024-11-30 05:49

Sample ID 240610-brb1waag38
Target ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219
SHA256 ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219

Threat Level: Known bad

The file ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads WinSCP keys stored on the system

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:22

Reported

2024-06-10 01:27

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 1860 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ucSBYWgzLcqdK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ucSBYWgzLcqdK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AEE.tmp"

C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1860-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/1860-1-0x00000000001F0000-0x00000000002BE000-memory.dmp

memory/1860-2-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1860-3-0x0000000000680000-0x0000000000696000-memory.dmp

memory/1860-5-0x0000000000700000-0x0000000000710000-memory.dmp

memory/1860-4-0x00000000006B0000-0x00000000006BE000-memory.dmp

memory/1860-6-0x0000000004F20000-0x0000000004FA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3AEE.tmp

MD5 c54c9f925785075695a7078d2f5880ce
SHA1 1761ac7f0ab098073e8aac9d91ca3bfd4ba1e3bf
SHA256 78d1f5dbb0a458e312a7ea4ae0a8b16a040322acb55474af4c8f956d9ecb8128
SHA512 39a29a2bc1e20500b76140980a05fc50ff3238fc49ead7bc8d54d28560b7a89876783b3f854e2862ae30c02849ee987b36713e1b349a46051dcac5a4e294aa0d

memory/1860-31-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2472-30-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-29-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-28-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-25-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-23-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-21-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2472-19-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DHETS720YY71UBYCXSTW.temp

MD5 de3f6b34b29c3bb49c976eeecdef12f7
SHA1 6e0705f1f817a92de7edf0ce5a58e1b7e476065e
SHA256 e45f1df9400838a0fc8ad11ceb6c91bc2681eba3e80c67cefaa4ee30c33caed8
SHA512 072377a52af2472e7fa3da16e80790e7a8468657da5f218df8197f2eff89401c4063a7fead304bd11df0241d357f157605246ead0c282cade3348e98ec315856

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:22

Reported

2024-06-10 01:28

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe
PID 4456 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ucSBYWgzLcqdK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ucSBYWgzLcqdK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C44.tmp"

C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe

"C:\Users\Admin\AppData\Local\Temp\ff02b3a5936360107b2140fbf9568906942f0233c653138b9ed7aaf380ea8219.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4456-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/4456-1-0x0000000000E30000-0x0000000000EFE000-memory.dmp

memory/4456-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/4456-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/4456-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4456-4-0x0000000005850000-0x000000000585A000-memory.dmp

memory/4456-6-0x0000000005B40000-0x0000000005B56000-memory.dmp

memory/4456-8-0x0000000005D10000-0x0000000005D20000-memory.dmp

memory/4456-7-0x0000000005B80000-0x0000000005B8E000-memory.dmp

memory/4456-9-0x0000000007170000-0x00000000071F6000-memory.dmp

memory/4456-10-0x00000000073D0000-0x000000000746C000-memory.dmp

memory/3972-17-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3972-18-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3972-16-0x0000000004D60000-0x0000000005388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdzq2g1m.qit.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp7C44.tmp

MD5 5051f6b5cbba35f24d9894279adff415
SHA1 ccaa368e8078539b00ccbcd1c6e79c745f1a0df3
SHA256 6f3ad895e3a2eca2a2df48ba94b86237ca7ad5b275c781d7458df7fabbce89e4
SHA512 4d985ab6d29c7eec639b5b7db246637d190529d872e4240e37188a9ddd8036c0429801c5d293c80c40723b8372949770a943b755b78b3bed83badfb480bbb272

memory/3128-43-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4456-46-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/5032-48-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3972-47-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/5032-44-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/5032-50-0x0000000006B40000-0x0000000006B8C000-memory.dmp

memory/5032-49-0x0000000006000000-0x000000000601E000-memory.dmp

memory/5032-32-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3972-33-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/3972-21-0x0000000005530000-0x0000000005596000-memory.dmp

memory/3972-20-0x0000000005440000-0x00000000054A6000-memory.dmp

memory/3972-19-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

memory/3972-15-0x0000000002290000-0x00000000022C6000-memory.dmp

memory/3972-73-0x0000000006B80000-0x0000000006C23000-memory.dmp

memory/5032-65-0x0000000006C00000-0x0000000006C1E000-memory.dmp

memory/3972-53-0x0000000071500000-0x000000007154C000-memory.dmp

memory/5032-52-0x0000000071500000-0x000000007154C000-memory.dmp

memory/5032-51-0x0000000007800000-0x0000000007832000-memory.dmp

memory/3972-75-0x00000000075D0000-0x0000000007C4A000-memory.dmp

memory/5032-76-0x00000000079D0000-0x00000000079DA000-memory.dmp

memory/5032-74-0x0000000007960000-0x000000000797A000-memory.dmp

memory/5032-77-0x0000000007BE0000-0x0000000007C76000-memory.dmp

memory/5032-78-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/3972-79-0x00000000070E0000-0x00000000070EE000-memory.dmp

memory/5032-81-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/5032-82-0x0000000007C80000-0x0000000007C88000-memory.dmp

memory/5032-80-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

memory/5032-89-0x0000000074E30000-0x00000000755E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3cc8452c1334a5c0a198ab453eada9c6
SHA1 ec5a7f16983003295077eab7dd1b7b3f6e1e28ca
SHA256 afa4e1f3a069d37fb867cb854eed4985df9cca87a9da55fafae82093f1938a73
SHA512 a011df00977a3876ddd472c3332e0a421f9591338ca87ebcb2468de655cecb71ad0910656d608ff715d953fab66394054287b2c776535a1f1b371e8df5808eb6

memory/3972-85-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3128-90-0x00000000065D0000-0x0000000006620000-memory.dmp