Malware Analysis Report

2024-09-23 03:22

Sample ID 240619-bfvzlsvepp
Target 0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js
SHA256 0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e
Tags
agenttesla stormkitty xworm execution keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e

Threat Level: Known bad

The file 0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js was found to be: Known bad.

Malicious Activity Summary

agenttesla stormkitty xworm execution keylogger rat spyware stealer trojan

AgentTesla

StormKitty

StormKitty payload

Detect Xworm Payload

Xworm

Detects executables packed with SmartAssembly

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many file transfer clients. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects Windows executables referencing non-Windows User-Agents

Detects executables referencing credit card regular expressions

Detect packed .NET executables. Mostly AgentTeslaV4.

Command and Scripting Interpreter: PowerShell

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Program crash

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:08

Platform

win7-20240611-en

Max time kernel

121s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2264 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2424 wrote to memory of 2264 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2424 wrote to memory of 2264 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2424 wrote to memory of 2264 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2264 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmpDqhdDQk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmpDqhdDQk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F66.tmp"

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

Network

Country Destination Domain Proto
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 107.175.101.198:7000 tcp
US 107.175.101.198:7000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

MD5 22269c9e26e7aa5d4168bb2b7acad1b3
SHA1 9c18f20bceeeb671f745458b4bf4f8d217a84173
SHA256 0ca04624018e1b0234ad520ab681fc7357f5dc1b537f860fc9a4849b4c207b11
SHA512 a3c0a97eed520fb5bd6578b48bf8992fd62ae913eb5b3940423800a2f913614b5c7eb39d0fd038f4edd98aa5512a16dabcc5f8c601ac93260af8d91dd9350e17

memory/2264-6-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/2264-7-0x0000000000AF0000-0x0000000000B62000-memory.dmp

memory/2264-8-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2264-9-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/2264-10-0x0000000000750000-0x0000000000758000-memory.dmp

memory/2264-11-0x0000000000760000-0x000000000076C000-memory.dmp

memory/2264-12-0x0000000004310000-0x0000000004360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6F66.tmp

MD5 dc5ba4c7351e42926173256d9b2e743d
SHA1 ee9d4673ccf578a8cf624c11051e46399c6a2bfd
SHA256 f9f0f6755766be41cfd8d2e89e1e9b0767cb5412ca7bbad6fc9bffd40a9b7162
SHA512 fb9c767aa3c69c4b08369f0237634f420bb7e595c0ab0edf41f2833b90160721569d0d175548acea2f96efd8e7ff63f5f5fce4f353307767438a1019a1bff071

memory/2220-24-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-26-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-33-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-36-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-35-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2220-30-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2220-28-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2264-37-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2220-38-0x0000000000610000-0x0000000000652000-memory.dmp

memory/2220-39-0x0000000006BB0000-0x0000000006CD0000-memory.dmp

memory/2220-63-0x0000000004810000-0x000000000481E000-memory.dmp

memory/2220-64-0x0000000008A90000-0x0000000008DE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:05

Reported

2024-06-19 01:08

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 4304 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3680 wrote to memory of 4304 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3680 wrote to memory of 4304 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 4304 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmpDqhdDQk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmpDqhdDQk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8ACB.tmp"

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 2276

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.101.175.107.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

MD5 22269c9e26e7aa5d4168bb2b7acad1b3
SHA1 9c18f20bceeeb671f745458b4bf4f8d217a84173
SHA256 0ca04624018e1b0234ad520ab681fc7357f5dc1b537f860fc9a4849b4c207b11
SHA512 a3c0a97eed520fb5bd6578b48bf8992fd62ae913eb5b3940423800a2f913614b5c7eb39d0fd038f4edd98aa5512a16dabcc5f8c601ac93260af8d91dd9350e17

memory/4304-11-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/4304-12-0x0000000000500000-0x0000000000572000-memory.dmp

memory/4304-13-0x0000000005610000-0x0000000005BB4000-memory.dmp

memory/4304-14-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/4304-16-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/4304-15-0x0000000005010000-0x000000000501A000-memory.dmp

memory/4304-17-0x0000000005250000-0x00000000052EC000-memory.dmp

memory/4304-18-0x0000000005240000-0x0000000005252000-memory.dmp

memory/4304-19-0x0000000005310000-0x0000000005318000-memory.dmp

memory/4304-20-0x0000000005320000-0x000000000532C000-memory.dmp

memory/4304-21-0x00000000063C0000-0x0000000006410000-memory.dmp

memory/3084-26-0x0000000002DD0000-0x0000000002E06000-memory.dmp

memory/3084-27-0x0000000005890000-0x0000000005EB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8ACB.tmp

MD5 a1db0bfd0505ddf60d8a3f9d5c62ff26
SHA1 c5f52b8ac7bc05537d08e05493602189f010f39b
SHA256 43b8a1c82429ca6e6ceed626c359f55947587f7258411881b4ead2fc7fbe4dbf
SHA512 15303f85858f15591041279b7f6237af99da82fc990f8051e58dd3c0199bdc6db5d1ace6d27caa7efb016d0001e7261f478d7786b3b458f8209f92491d503fac

memory/2904-30-0x0000000005800000-0x0000000005866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gz1c0iw.5tb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2904-31-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/3084-29-0x0000000005820000-0x0000000005842000-memory.dmp

memory/3084-50-0x0000000006100000-0x0000000006454000-memory.dmp

memory/4304-53-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/4032-51-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4304-55-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2904-56-0x0000000006700000-0x000000000671E000-memory.dmp

memory/2904-57-0x0000000006750000-0x000000000679C000-memory.dmp

memory/3084-71-0x00000000753C0000-0x000000007540C000-memory.dmp

memory/2904-70-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/2904-69-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

memory/2904-59-0x00000000753C0000-0x000000007540C000-memory.dmp

memory/2904-58-0x00000000076D0000-0x0000000007702000-memory.dmp

memory/3084-81-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/3084-82-0x0000000007A10000-0x0000000007A2A000-memory.dmp

memory/3084-83-0x0000000007A80000-0x0000000007A8A000-memory.dmp

memory/3084-84-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/2904-85-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/3084-86-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/3084-87-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/3084-88-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/3084-89-0x0000000007D30000-0x0000000007D38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4efb9c5e848bb92f1fd705ffa47e3840
SHA1 5d29eed7deda1c059b22491997bc9bbeda5ccff1
SHA256 4cb6a7e03016c2958f4b9532a43e2bbf851d371654b314157c4cb6349f42c0a8
SHA512 4c15111f03d9219556b00570d27b436d1bc56d04a197e2edda8408324fcb74c65bb83c80b7d7d35b4a03ec9af4e15cc7cce73d16b52d86d14abd120f0380ea19

memory/4032-95-0x0000000006770000-0x00000000067B2000-memory.dmp

memory/4032-96-0x00000000077A0000-0x00000000077F0000-memory.dmp

memory/4032-97-0x0000000007A70000-0x0000000007B90000-memory.dmp

memory/4032-98-0x0000000007BA0000-0x0000000007EF4000-memory.dmp

memory/4032-99-0x0000000008090000-0x00000000080DC000-memory.dmp