Malware Analysis Report

2024-11-30 05:48

Sample ID 240619-cefc7ssamd
Target 0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a
SHA256 0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a

Threat Level: Known bad

The file 0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:01

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\chrome\\chrome.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe

"C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sRBwuhdSvUSJqF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sRBwuhdSvUSJqF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2924-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/2924-1-0x0000000000B80000-0x0000000000C2C000-memory.dmp

memory/2924-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2924-3-0x0000000000590000-0x00000000005A6000-memory.dmp

memory/2924-4-0x0000000000920000-0x000000000092C000-memory.dmp

memory/2924-5-0x0000000000990000-0x00000000009A0000-memory.dmp

memory/2924-6-0x0000000004B90000-0x0000000004C14000-memory.dmp

memory/2924-7-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/2924-8-0x0000000074DC0000-0x00000000754AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp

MD5 dad690c9f111b92cab7e42ae4d106a1d
SHA1 26d2a43a1f4ce6423ae87d28904d610cd31afd8e
SHA256 415f381e1a1cbd9d9f1023360fc32eb53f0c4648600c1de2e5a774d1fbf7f6db
SHA512 74b6a50ce011dad71ac8c7725930a8aae0ac2368af36ec7034cca858ab4f9a72780875c650ae81c46034524c521b40a4aa840abac7e3ec2141dd01c74048e073

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 60ffb83b338e589ebe38692458248497
SHA1 45cfd23b18266b1018d3f66014de6db1b7421e5f
SHA256 88732bf6eadbd887079b1258421d0783966329b0eb75f01207fca21363b8f583
SHA512 36146953754bc5087ba5496ca906ab50faf2b73b811edb124080d0835c8145e0e06129e13a54dbaf740e85e7c3057d2194e6ef1fc68d330fd39c28e53f7e549f

memory/2628-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-31-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2628-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2924-33-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:01

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\chrome\\chrome.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3672 set thread context of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe

"C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fb893b33625bc426a1e1adb7d8698b5b5e48f0d5e1b15a8086024c9fc77897a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sRBwuhdSvUSJqF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sRBwuhdSvUSJqF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/3672-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/3672-1-0x0000000000B40000-0x0000000000BEC000-memory.dmp

memory/3672-2-0x0000000005B90000-0x0000000006134000-memory.dmp

memory/3672-3-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/3672-4-0x00000000056A0000-0x00000000056AA000-memory.dmp

memory/3672-5-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/3672-6-0x0000000005970000-0x0000000005986000-memory.dmp

memory/3672-7-0x0000000006850000-0x000000000685C000-memory.dmp

memory/3672-8-0x0000000006860000-0x0000000006870000-memory.dmp

memory/3672-9-0x00000000068D0000-0x0000000006954000-memory.dmp

memory/3672-10-0x00000000090A0000-0x000000000913C000-memory.dmp

memory/3672-11-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/3672-12-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1380-17-0x0000000002F20000-0x0000000002F56000-memory.dmp

memory/1380-18-0x0000000005AA0000-0x00000000060C8000-memory.dmp

memory/1380-19-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1380-20-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/4556-21-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp

MD5 bad90c04e29072e15739d5db2521fcc6
SHA1 06f879cb4969fe059fa106ebd1ad63186702f60d
SHA256 ac691a3d35070d74b57a06fc406c7a84b38a0d0ee47e7ce1e52039b08eecb81b
SHA512 ce61d9ff017b965bc8c040c70efc51b7680a60d40b905beef5722d58732dbb4ff233c8f3ce899081a57fe5c171f6949e05dc2fb781f84b1980adca84b1b7d705

memory/4556-26-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/4556-27-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uy1kpx4u.p0x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1380-25-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/1380-24-0x0000000005970000-0x00000000059D6000-memory.dmp

memory/1380-46-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/1380-23-0x0000000005850000-0x0000000005872000-memory.dmp

memory/1876-47-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1380-49-0x0000000006800000-0x000000000681E000-memory.dmp

memory/3672-51-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1380-50-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/1380-53-0x0000000070200000-0x000000007024C000-memory.dmp

memory/1380-63-0x0000000006E20000-0x0000000006E3E000-memory.dmp

memory/1380-52-0x0000000006DC0000-0x0000000006DF2000-memory.dmp

memory/1380-64-0x0000000007830000-0x00000000078D3000-memory.dmp

memory/1380-65-0x0000000008190000-0x000000000880A000-memory.dmp

memory/1380-66-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/4556-67-0x0000000070200000-0x000000007024C000-memory.dmp

memory/1380-77-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

memory/4556-78-0x0000000007890000-0x0000000007926000-memory.dmp

memory/1380-79-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/1380-82-0x0000000007D80000-0x0000000007D8E000-memory.dmp

memory/1380-83-0x0000000007D90000-0x0000000007DA4000-memory.dmp

memory/1380-84-0x0000000007E90000-0x0000000007EAA000-memory.dmp

memory/1380-85-0x0000000007E70000-0x0000000007E78000-memory.dmp

memory/1380-91-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4556-92-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f932eed589a25848ddb3e818c0d5d01
SHA1 229ffc5af7568dc39f9dddc2f01f59897ece1bbd
SHA256 1070bf1a3031187a2017de97e5c6fc3808f988d7f4e1b76f5345fbddce467f05
SHA512 070e32537854619a79f3430a675493bc016294fc0cedef009ae4b02ad6db9f1b0aa196243b87303614f52575ab3dcc9d86c2d52f9c5399deb0cc05c01637e0e8

memory/1876-93-0x0000000006280000-0x00000000062D0000-memory.dmp