Malware Analysis Report

2024-11-30 05:43

Sample ID 240619-smw9pasemc
Target 1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
SHA256 1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1
Tags
execution agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1

Threat Level: Known bad

The file 1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe was found to be: Known bad.

Malicious Activity Summary

execution agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 15:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 15:15

Reported

2024-06-19 15:17

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2912 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgvUYcgWaiQFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgvUYcgWaiQFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

Network

N/A

Files

memory/2912-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2912-1-0x00000000003B0000-0x0000000000458000-memory.dmp

memory/2912-2-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2912-3-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2912-4-0x0000000000390000-0x0000000000398000-memory.dmp

memory/2912-5-0x00000000003A0000-0x00000000003AC000-memory.dmp

memory/2912-6-0x0000000005A30000-0x0000000005AB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp

MD5 1eb12d62ea619759d948c3103ef39034
SHA1 3d1987ee8cc1eeb03a237bfae2935ff80fc3a842
SHA256 7869c5e2073acd6921dabe63c1e90a6fb4354eebb1fe1e3442b9bf40aab69f51
SHA512 f2172e9eaa9f99d63497805f19c6dcfdfb609ae9b8fc480871e514619d115ded62768acb83063d1fc370966670738a58ca30f3ea0888628b4f4c8cc1aafe900b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2STPEZU2VPBQJCMOD3L5.temp

MD5 44a0111a36d2acd9eb5d834a2f3879a1
SHA1 8901d18f2fadb87f6ef2ee91de6bfc6b23a827fc
SHA256 a067b5482cc6d58a84d4bb5a8f7459306eaefa4c94c3807ead092e03f53f6e69
SHA512 c9f16a5851a0d086ba191f3e1528698ce58542886a6c2d4dff79c2b82a52bbad3ae5222b352694c204a14ae4c092e1216be9dd61f5a4feed529b163c5b8126a6

memory/2912-19-0x0000000074230000-0x000000007491E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 15:15

Reported

2024-06-19 15:17

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4712 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4712 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4712 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe
PID 4712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgvUYcgWaiQFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgvUYcgWaiQFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78CA.tmp"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

"C:\Users\Admin\AppData\Local\Temp\1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 mail.naubahar.com udp

Files

memory/4712-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/4712-1-0x0000000000300000-0x00000000003A8000-memory.dmp

memory/4712-2-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/4712-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/4712-4-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

memory/4712-5-0x0000000005070000-0x000000000510C000-memory.dmp

memory/4712-6-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4712-7-0x0000000005010000-0x0000000005022000-memory.dmp

memory/4712-8-0x0000000006080000-0x0000000006088000-memory.dmp

memory/4712-9-0x0000000006090000-0x000000000609C000-memory.dmp

memory/4712-10-0x00000000060E0000-0x0000000006164000-memory.dmp

memory/4748-15-0x00000000027E0000-0x0000000002816000-memory.dmp

memory/4748-16-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4748-17-0x00000000051B0000-0x00000000057D8000-memory.dmp

memory/4748-21-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4748-20-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/4748-19-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/4748-22-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4748-18-0x0000000005100000-0x0000000005122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkbmvzb4.qst.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp78CA.tmp

MD5 c988b1d9ed8a78cbbe9a679e68974613
SHA1 34f0770cca6255b7390b1156c9c5240a277fd394
SHA256 92a5c138f911063a9a6e7d0d3c953157294c41847f45c7a3f2d4cb26fc0af274
SHA512 4dc2d34e2258d26e905dff6c655d14201eab228401c495726bc8bca7e2c8d487e74feb10be0f7b6c5cf4ba4ee1592a185c316e0e6d02b33c29d53871d7d79c95

memory/4748-23-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/3248-43-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4712-45-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/4748-46-0x00000000060D0000-0x00000000060EE000-memory.dmp

memory/4748-47-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/4748-48-0x0000000007080000-0x00000000070B2000-memory.dmp

memory/4748-49-0x0000000075AA0000-0x0000000075AEC000-memory.dmp

memory/4808-61-0x0000000075AA0000-0x0000000075AEC000-memory.dmp

memory/4748-60-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/4748-59-0x0000000007040000-0x000000000705E000-memory.dmp

memory/4748-71-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/4748-72-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/4748-73-0x0000000007470000-0x000000000747A000-memory.dmp

memory/4808-74-0x0000000007420000-0x00000000074B6000-memory.dmp

memory/4748-75-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/4808-76-0x00000000073D0000-0x00000000073DE000-memory.dmp

memory/4748-77-0x0000000007630000-0x0000000007644000-memory.dmp

memory/4808-78-0x00000000074E0000-0x00000000074FA000-memory.dmp

memory/4748-79-0x0000000007710000-0x0000000007718000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d079d093db369978c4496c60e40f516
SHA1 81ad1833cc32a622fce38dd5a03cbde80abae1b6
SHA256 e83415c9a8f80e6611ee6506c0f6e892c502ae0d790ce2c775b32288a8c00f47
SHA512 33a48841765ce9c1d8ba4debf3918dc87088821d93b0f53019c80fe5e05d1ca5ab1cbbdc71b72df2aca7e1d500143cf21d46941cbf5cbdf7b38cf9e5457d9178

memory/4748-85-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/3248-87-0x00000000068B0000-0x0000000006900000-memory.dmp