Malware Analysis Report

2024-10-19 09:22

Sample ID 240612-cgybssydje
Target 4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
SHA256 4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff

Threat Level: Known bad

The file 4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:03

Reported

2024-06-12 02:06

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZUHFqcY = "C:\\Users\\Admin\\AppData\\Roaming\\ZUHFqcY\\ZUHFqcY.exe" C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 2944 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cGhOYFUbb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cGhOYFUbb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39C6.tmp"

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2944-0-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/2944-1-0x0000000000F50000-0x0000000001002000-memory.dmp

memory/2944-2-0x0000000000960000-0x000000000097A000-memory.dmp

memory/2944-3-0x0000000000420000-0x0000000000430000-memory.dmp

memory/2944-4-0x0000000004940000-0x00000000049C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp39C6.tmp

MD5 67f824dcdefaeb745f90add5df954183
SHA1 9182c3c1eac57dc538f21cafb2a3cf385e65d4d0
SHA256 e486c65cb538a2306897dacb5b1d79fe2338a8b43bbbad408293a9e607bee0d1
SHA512 88c6b9e6d98882b7448d93e117bd0b8b79e369b75bffc3f555b459dcc2c1f4fbd175c769a2ebf43335747f9b9ec35778a97f41b8d140a52bdb85fec662b3009c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XWDQCIFQO63381QROFYL.temp

MD5 0f64b5cb51a581c3e9f3058c170294b6
SHA1 0bef292fa15a88aa1082ecdee619e9fc34e53bff
SHA256 a46b5ccf3a2c3d61e91f9e248f890b0baf17864445710ff8e0347c68eb3eba30
SHA512 39ef635e76d41d1b040bf2eafdbf78934a4bd3c89d1dc944651f563b4807440c3527ccd77956f453b359f6d365ec4f92eb0c88422abebfb15090a251906c4f1e

memory/2576-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2576-21-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:03

Reported

2024-06-12 02:06

Platform

win10v2004-20240611-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZUHFqcY = "C:\\Users\\Admin\\AppData\\Roaming\\ZUHFqcY\\ZUHFqcY.exe" C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cGhOYFUbb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cGhOYFUbb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BBC.tmp"

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe

"C:\Users\Admin\AppData\Local\Temp\4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 208.91.198.143:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 143.198.91.208.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4464-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

memory/4464-1-0x00000000005C0000-0x0000000000672000-memory.dmp

memory/4464-2-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/4464-3-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/4464-4-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/4464-5-0x0000000005080000-0x000000000508A000-memory.dmp

memory/4464-6-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/4464-7-0x0000000005660000-0x0000000005670000-memory.dmp

memory/4464-8-0x0000000007CA0000-0x0000000007D24000-memory.dmp

memory/4464-9-0x000000000A400000-0x000000000A49C000-memory.dmp

memory/3324-14-0x00000000052F0000-0x0000000005326000-memory.dmp

memory/3324-15-0x0000000005960000-0x0000000005F88000-memory.dmp

memory/3324-16-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/3324-17-0x0000000074F80000-0x0000000075730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5BBC.tmp

MD5 71f8f48170c857c8235cd3ace96badc5
SHA1 a4b833e333e735263a85ccd78d610d30584891d9
SHA256 7402a899184c79d011fcb0ef2ce15c0c489da74be39c21744cfeb834dae2e2a8
SHA512 6e4fa2e8ffccd467b8586ffe4e633bd7b7aa1f9b4a905ab7e8210d167891df9c00b8c6d3e479e9e81235146833dcff35b91f825fc55c010fc21dcb3284929ac9

memory/2964-18-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/2964-20-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/2964-23-0x0000000005D90000-0x0000000005DF6000-memory.dmp

memory/2964-22-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/2964-24-0x0000000005F40000-0x0000000006294000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu0zavah.vxc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4780-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2964-21-0x00000000055A0000-0x00000000055C2000-memory.dmp

memory/4464-45-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/3324-46-0x0000000006840000-0x000000000685E000-memory.dmp

memory/3324-47-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/3324-48-0x0000000006E40000-0x0000000006E72000-memory.dmp

memory/2964-50-0x0000000071620000-0x000000007166C000-memory.dmp

memory/3324-49-0x0000000071620000-0x000000007166C000-memory.dmp

memory/3324-69-0x0000000006E20000-0x0000000006E3E000-memory.dmp

memory/2964-70-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/3324-71-0x00000000081D0000-0x000000000884A000-memory.dmp

memory/3324-72-0x0000000007B80000-0x0000000007B9A000-memory.dmp

memory/3324-73-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/3324-74-0x0000000007E00000-0x0000000007E96000-memory.dmp

memory/3324-75-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/3324-76-0x0000000007DB0000-0x0000000007DBE000-memory.dmp

memory/2964-77-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

memory/2964-78-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/3324-79-0x0000000007EA0000-0x0000000007EA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f319482c7928cd2a1a31d6a2f44d5db9
SHA1 c85e35aca1a35da3b7971fac0366ffbb4cbee435
SHA256 d98c99d0447fab182ae0763fe95b27264537583f345c6af64734db141c405062
SHA512 0cb27ab377ad1f9abdd5188c8c72726faa2b9ff178c1066aff89ced80eb39e2dbef506e1a83b94f5677930744f80d2a1697c5a6c40363da7ac6491a805473bcd

memory/2964-84-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/3324-83-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/4780-86-0x0000000006CA0000-0x0000000006CF0000-memory.dmp