Malware Analysis Report

2024-12-01 01:20

Sample ID 241110-bynm9awfrp
Target 207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9
SHA256 207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9
Tags
agenttesla discovery execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9

Threat Level: Known bad

The file 207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9 was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery execution keylogger spyware stealer trojan

Agenttesla family

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:35

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2248 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 2248 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bqkYjAmCJyUE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bqkYjAmCJyUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp"

C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ftp.fosna.net udp
US 173.254.31.34:21 ftp.fosna.net tcp
US 8.8.8.8:53 34.31.254.173.in-addr.arpa udp
US 173.254.31.34:31320 ftp.fosna.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2248-0-0x000000007483E000-0x000000007483F000-memory.dmp

memory/2248-1-0x0000000000B90000-0x0000000000C34000-memory.dmp

memory/2248-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/2248-3-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/2248-4-0x0000000005620000-0x000000000562A000-memory.dmp

memory/2248-5-0x00000000058C0000-0x000000000595C000-memory.dmp

memory/2248-6-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2248-7-0x0000000005BE0000-0x0000000005BF2000-memory.dmp

memory/2248-8-0x000000007483E000-0x000000007483F000-memory.dmp

memory/2248-9-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2248-10-0x00000000074D0000-0x0000000007554000-memory.dmp

memory/4080-15-0x00000000025B0000-0x00000000025E6000-memory.dmp

memory/4080-17-0x0000000005010000-0x0000000005638000-memory.dmp

memory/4080-16-0x0000000074830000-0x0000000074FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp

MD5 86d942e6c43bf77d7b0669d164faaa2c
SHA1 16a3a5f0fbb9afdfe98c57d120da5afbc2328f0c
SHA256 070f04785b38a7a7ffaef1b407d38b042580728e3a82a6c9eb791c583c444aad
SHA512 26cb5d983b468f135558311ca9387fe467b1622ba1ce88814461987e140e96f4dcb9ecf24070f23a4559d3b5404875894ccc361f24357b468c09dd926662bde7

memory/4080-22-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgk2b2kt.dsh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4080-33-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/4080-21-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/4080-20-0x0000000004F30000-0x0000000004F52000-memory.dmp

memory/5116-32-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4080-19-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/4080-34-0x0000000074830000-0x0000000074FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/5116-37-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2248-38-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/4080-39-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

memory/4080-40-0x0000000005F70000-0x0000000005FBC000-memory.dmp

memory/4080-41-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

memory/4080-42-0x0000000075090000-0x00000000750DC000-memory.dmp

memory/4080-52-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/4080-53-0x00000000070F0000-0x0000000007193000-memory.dmp

memory/4080-55-0x0000000007200000-0x000000000721A000-memory.dmp

memory/4080-54-0x0000000007840000-0x0000000007EBA000-memory.dmp

memory/4080-56-0x0000000007270000-0x000000000727A000-memory.dmp

memory/4080-57-0x0000000007480000-0x0000000007516000-memory.dmp

memory/4080-58-0x0000000007400000-0x0000000007411000-memory.dmp

memory/5116-59-0x0000000006BE0000-0x0000000006C30000-memory.dmp

memory/4080-60-0x0000000007430000-0x000000000743E000-memory.dmp

memory/4080-61-0x0000000007440000-0x0000000007454000-memory.dmp

memory/4080-62-0x0000000007540000-0x000000000755A000-memory.dmp

memory/4080-63-0x0000000007520000-0x0000000007528000-memory.dmp

memory/4080-66-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/5116-67-0x0000000074830000-0x0000000074FE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:35

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
PID 1388 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bqkYjAmCJyUE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bqkYjAmCJyUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD22D.tmp"

C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe

"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1388-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/1388-1-0x0000000001320000-0x00000000013C4000-memory.dmp

memory/1388-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1388-3-0x0000000000520000-0x0000000000532000-memory.dmp

memory/1388-4-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/1388-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/1388-6-0x0000000005AB0000-0x0000000005B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD22D.tmp

MD5 d3b007d63b2088c4adde09b27b4ca8b5
SHA1 90423b66c44437b82f108fe131e18da4c0e52c5c
SHA256 88d3ac5ff585bffca15f0bb8c88e17a8298e67a58587ec8a081d82d7b10dd30f
SHA512 231140a69c1fbeef96f722e9cd0b8f294632aae171a687094fb5a0bdbc379b56ee49ecccc6b162f11d077177c1bb78e8619116ee65ec614c4d69bf04c17022eb

memory/2796-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2796-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2796-14-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1388-27-0x00000000748A0000-0x0000000074F8E000-memory.dmp