Malware Analysis Report

2024-10-23 21:59

Sample ID 240612-b66tssyarf
Target 280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f
SHA256 280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

Threat Level: Known bad

The file 280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:46

Reported

2024-06-12 01:48

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 3000 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rkaDHUKbZLCALj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rkaDHUKbZLCALj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D2.tmp"

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zqamcx.com udp
GB 78.110.166.82:587 zqamcx.com tcp

Files

memory/3000-0-0x000000007416E000-0x000000007416F000-memory.dmp

memory/3000-1-0x00000000000C0000-0x0000000000186000-memory.dmp

memory/3000-2-0x0000000074160000-0x000000007484E000-memory.dmp

memory/3000-3-0x0000000000840000-0x000000000085A000-memory.dmp

memory/3000-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/3000-5-0x0000000005CB0000-0x0000000005D34000-memory.dmp

memory/3000-6-0x000000007416E000-0x000000007416F000-memory.dmp

memory/3000-7-0x0000000074160000-0x000000007484E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 88385a941e6318b6b5d2bdeea6935e1a
SHA1 b92bcc4bc774a2aa9269e9d76571cb6d80a42dd2
SHA256 cd8d8741f72c234f6023a27ad3d04537c6d290b580262fef9784e5c0527dd8f5
SHA512 a5b6aedc0225a2330622b12e469e3ab4a2a38a02ccea989ff96a8141275b870ecaa8ebd8d433ef1293aa1cedb228bdb8d18bf3bb410013c093ff40e27a3c4e49

C:\Users\Admin\AppData\Local\Temp\tmpC2D2.tmp

MD5 54c75078635858e410c03a81dea56a09
SHA1 85167ef4a3ffaf716120b607dd9326724fa78e6b
SHA256 6d85c6a05627c571f185b734773535a3f07ef1e37d46f75b81a43d95317fa1fa
SHA512 8a241bd14225a6b6d87171ba0aedeadf60c3286035917d3bf450b5d0f1a817633eff85d04a6ec3d049db9462df34bdecff981ff88874cd185bab4b769795e81a

memory/1840-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1840-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1840-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3000-33-0x0000000074160000-0x000000007484E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:46

Reported

2024-06-12 01:49

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 5156 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4620 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4620 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4620 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe
PID 4620 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rkaDHUKbZLCALj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rkaDHUKbZLCALj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF7D8.tmp"

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe

"C:\Users\Admin\AppData\Local\Temp\280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 zqamcx.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4620-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/4620-1-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/4620-2-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/4620-3-0x0000000004ED0000-0x0000000004F62000-memory.dmp

memory/4620-4-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4620-5-0x0000000005070000-0x000000000507A000-memory.dmp

memory/4620-6-0x0000000005380000-0x000000000539A000-memory.dmp

memory/4620-7-0x00000000077A0000-0x00000000077B0000-memory.dmp

memory/4620-8-0x0000000007B00000-0x0000000007B84000-memory.dmp

memory/4620-9-0x000000000A260000-0x000000000A2FC000-memory.dmp

memory/4620-10-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/4620-11-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-16-0x00000000024D0000-0x0000000002506000-memory.dmp

memory/4424-17-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-18-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5156-19-0x0000000004E90000-0x00000000054B8000-memory.dmp

memory/5156-20-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5156-21-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-22-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF7D8.tmp

MD5 25848685d9d712321ec44b2044bb50ad
SHA1 e6b48ee1c11f5d9cff6f8b0b952a12a0f1c84bb6
SHA256 ed38a937de149fe8eaf4e208488f14d56cc94cdc724e6488ad193491e2958723
SHA512 02c3a457a55cda2b92b7f153b884ee8827c40a03a5203d01a8aa35783b7772f445cee4e8fb66dee5831530249b918e99cae63bcaa42ebe631f389eaf6d57f0bb

memory/5156-24-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-25-0x0000000004DF0000-0x0000000004E12000-memory.dmp

memory/4424-26-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/4424-27-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/220-30-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfymm0nr.yc5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5156-48-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/4620-49-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-50-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

memory/5156-51-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/5156-53-0x00000000713D0000-0x000000007141C000-memory.dmp

memory/4424-54-0x00000000713D0000-0x000000007141C000-memory.dmp

memory/5156-52-0x0000000006C60000-0x0000000006C92000-memory.dmp

memory/4424-69-0x0000000006380000-0x000000000639E000-memory.dmp

memory/5156-74-0x0000000006EA0000-0x0000000006F43000-memory.dmp

memory/4424-75-0x0000000007750000-0x0000000007DCA000-memory.dmp

memory/4424-76-0x0000000007110000-0x000000000712A000-memory.dmp

memory/5156-77-0x0000000007030000-0x000000000703A000-memory.dmp

memory/220-78-0x0000000005F20000-0x0000000005F70000-memory.dmp

memory/4424-79-0x0000000007390000-0x0000000007426000-memory.dmp

memory/4424-80-0x0000000007310000-0x0000000007321000-memory.dmp

memory/4424-81-0x0000000007340000-0x000000000734E000-memory.dmp

memory/5156-82-0x0000000007200000-0x0000000007214000-memory.dmp

memory/5156-83-0x0000000007300000-0x000000000731A000-memory.dmp

memory/5156-84-0x00000000072E0000-0x00000000072E8000-memory.dmp

memory/5156-87-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4424-88-0x0000000074D00000-0x00000000754B0000-memory.dmp