Malware Analysis Report

2025-04-13 20:58

Sample ID 250308-dkejja1my5
Target 0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe
SHA256 0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562
Tags
darkcloud discovery execution stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562

Threat Level: Known bad

The file 0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud discovery execution stealer upx

DarkCloud

Darkcloud family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Uses the VBS compiler for execution

Loads dropped DLL

Suspicious use of SetThreadContext

UPX packed file

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-08 03:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-08 03:03

Reported

2025-03-08 03:06

Platform

win7-20240903-en

Max time kernel

147s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

Signatures

DarkCloud

stealer darkcloud

Darkcloud family

darkcloud

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2728 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe

"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

N/A

Files

memory/2728-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/2728-1-0x0000000000B60000-0x0000000000C74000-memory.dmp

memory/2728-2-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2728-3-0x00000000009F0000-0x0000000000A08000-memory.dmp

memory/2728-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/2728-5-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2728-6-0x00000000050D0000-0x000000000518C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA219.tmp

MD5 ef2db92ffccccf25738faa62593660ca
SHA1 2e3dd24727cea40561fb6953b1ab788ce54c31dd
SHA256 ef0a5abfc9ccc5337a27ff4c7b956ea208c67ca4756aacf66ee1539cfd0e84e8
SHA512 32e106c4125b27d2e842d05f76a54e8539ecc687174616fdd7b812ab435492517f09d07a94d25179b6bb42e6226cca72dc6b27eebc3b3262edf4d673be4e62a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YWONGKUF7TVBF90B037D.temp

MD5 2c9f66a16cfecdd58a1a3c7a20d1e3f8
SHA1 dc50c40b075fc2afc1750f4a0fa886667fecd52e
SHA256 28c5115c68cc863a81f62a0a6ef5d6f408d1a335f1e205be7f4269350a6d78d0
SHA512 2b658b156e319bfc1ca6e5ba58282d7ee1a65f7eae4aeafcfe8e0ca84312febf82e77d87813ff63d18d5fbdd7c9a09a355b7172c745c5f7b4d22a4bb255b7bcf

memory/800-19-0x0000000000400000-0x0000000000471000-memory.dmp

memory/800-28-0x0000000000400000-0x0000000000471000-memory.dmp

memory/800-29-0x0000000000400000-0x0000000000471000-memory.dmp

memory/800-23-0x0000000000400000-0x0000000000471000-memory.dmp

memory/800-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/800-21-0x0000000000400000-0x0000000000471000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\XPAJOTIY-Admin\vbsqlite3.dll

MD5 073a17b6cfb1112c6c838b2fba06a657
SHA1 a54bb22489eaa8c52eb3e512aee522320530b0be
SHA256 dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab
SHA512 5bc8307350bd8ba09fa9eedddc62f1dba65db62eb09ae64e0adff4dfad0937dbec5b621f294f5980bf77033faac3bfe200945c0280606915ee9a82d34a003b9e

memory/800-38-0x000000006C400000-0x000000006C469000-memory.dmp

memory/2728-39-0x0000000073F40000-0x000000007462E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-08 03:03

Reported

2025-03-08 03:06

Platform

win10v2004-20250217-en

Max time kernel

95s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

Signatures

DarkCloud

stealer darkcloud

Darkcloud family

darkcloud

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5000 set thread context of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 5000 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 5000 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\SysWOW64\schtasks.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5000 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe

"C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0ad44166db3cebf7d7e20e6e5cd49037ecef554aed4180ca8d9f946b8c432562.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQkCOnXBVqKmW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQkCOnXBVqKmW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/5000-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/5000-1-0x0000000000A90000-0x0000000000BA4000-memory.dmp

memory/5000-2-0x00000000059A0000-0x0000000005F44000-memory.dmp

memory/5000-3-0x0000000005490000-0x0000000005522000-memory.dmp

memory/5000-4-0x0000000005530000-0x00000000055CC000-memory.dmp

memory/5000-5-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/5000-6-0x0000000005480000-0x000000000548A000-memory.dmp

memory/5000-7-0x0000000005940000-0x0000000005958000-memory.dmp

memory/5000-8-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/5000-9-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/5000-10-0x0000000006880000-0x000000000693C000-memory.dmp

memory/940-15-0x0000000002900000-0x0000000002936000-memory.dmp

memory/940-17-0x00000000054E0000-0x0000000005B08000-memory.dmp

memory/940-16-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/940-18-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/940-19-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/3252-21-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCE3D.tmp

MD5 703d97d13527f76dc42e5eb14b8e39c0
SHA1 cf9f85cb941a72806194c0c1b1f676eb567d8abd
SHA256 23ea2cf01ee9891cd0884b957cfe35876cd26eec6a267692e5ff3e2fd379a139
SHA512 4b279ca54cc7c5a2f67f8675a0c5cfd7607ef92c09575d56c9774d42ea06141d5c4ef6cb24e6059bdaf8bd6fa79b375d22ae0e37612d69944616586597237054

memory/3252-22-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/1180-25-0x0000000000400000-0x0000000000471000-memory.dmp

memory/940-27-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/3252-29-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/940-26-0x0000000005250000-0x0000000005272000-memory.dmp

memory/940-28-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/1180-23-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1180-38-0x0000000000400000-0x0000000000471000-memory.dmp

memory/940-37-0x0000000005C10000-0x0000000005F64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvj5iumo.ymv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5000-43-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/3252-62-0x0000000006470000-0x000000000648E000-memory.dmp

memory/3252-63-0x0000000006500000-0x000000000654C000-memory.dmp

memory/3252-65-0x0000000075600000-0x000000007564C000-memory.dmp

memory/940-77-0x0000000075600000-0x000000007564C000-memory.dmp

memory/3252-76-0x0000000007630000-0x00000000076D3000-memory.dmp

memory/3252-75-0x00000000073D0000-0x00000000073EE000-memory.dmp

memory/3252-64-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/3252-87-0x0000000007DD0000-0x000000000844A000-memory.dmp

memory/3252-88-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/3252-89-0x0000000007800000-0x000000000780A000-memory.dmp

memory/3252-90-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/3252-91-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/940-92-0x0000000007770000-0x000000000777E000-memory.dmp

memory/940-93-0x0000000007780000-0x0000000007794000-memory.dmp

memory/3252-94-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/940-95-0x0000000007860000-0x0000000007868000-memory.dmp

memory/940-98-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3252-102-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f5807b55a31e9893f9c8da883a7c608e
SHA1 1121e037833fd80515a232f424677b186fbe4eef
SHA256 c75ab72e3dbb9e3ae93c1f8151607554c195edc178165c8e96f0e674c6aba02b
SHA512 93d7685c85679793555aaabe2166de5e61b5ab38e2ef579325c7ee6876d86f41e2d01aeb64260643655d0ae1a9fad507ea78bac96cb0cd04bfcdc81d02700ded

memory/1180-103-0x0000000000400000-0x0000000000471000-memory.dmp