Malware Analysis Report

2025-05-28 14:54

Sample ID 240821-c39lyszejr
Target f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
SHA256 f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d
Tags
vipkeylogger collection credential_access discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d

Threat Level: Known bad

The file f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection credential_access discovery execution keylogger spyware stealer

VIPKeylogger

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 02:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 02:37

Reported

2024-08-21 02:39

Platform

win7-20240705-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1108 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1108 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1108 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1108 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 1108 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hlxwOGwWpD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hlxwOGwWpD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B74.tmp"

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1108-0-0x000000007498E000-0x000000007498F000-memory.dmp

memory/1108-1-0x0000000000150000-0x0000000000228000-memory.dmp

memory/1108-2-0x0000000074980000-0x000000007506E000-memory.dmp

memory/1108-3-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/1108-4-0x000000007498E000-0x000000007498F000-memory.dmp

memory/1108-5-0x0000000074980000-0x000000007506E000-memory.dmp

memory/1108-6-0x0000000000640000-0x0000000000650000-memory.dmp

memory/1108-7-0x0000000004380000-0x000000000440C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 31e1a6285808699412665d6259460e20
SHA1 4e42f80057ae8b86a3c0a66f1d4a40042f4dcfde
SHA256 4f08bb5badb83db9dee373c0342c3d590d8335bd4ba19503d57bd79387718005
SHA512 6abfde9dbb7230b8226224ac0fd31e59ff9a087713aa93c77cd50165128ea3e081684fec9034caccd31f3b09dfccf534a9c2cc15fe1690aced63a81b0edf23a1

C:\Users\Admin\AppData\Local\Temp\tmp2B74.tmp

MD5 2580bd58acbb21c61425cdbcc0227204
SHA1 c5a8be0bc3dd3ae2a50a596813960b3ec447866f
SHA256 688fbb41d0ea8fcc972e6e53ba5239a2fa16d49427627f78d86513d53bdc13a9
SHA512 9eb260d7b687dc768cd6b968f39a5214b51be79f124d8df6ca41440cb3a9a71f02c5c5ab36642c0da8aab75269c49319edc3cbc3a7b95a28d5aab911ba98d6dc

memory/2640-24-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-22-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-20-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-31-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2640-26-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1108-32-0x0000000074980000-0x000000007506E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 02:37

Reported

2024-08-21 02:39

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe
PID 2976 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hlxwOGwWpD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hlxwOGwWpD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16B0.tmp"

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe

"C:\Users\Admin\AppData\Local\Temp\f5dcef48d10d26c35b7123ed8b8281eb18b0aabd2fba48509da1d75732804d0d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1484

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2976-0-0x000000007528E000-0x000000007528F000-memory.dmp

memory/2976-1-0x0000000000F20000-0x0000000000FF8000-memory.dmp

memory/2976-2-0x0000000005FF0000-0x0000000006594000-memory.dmp

memory/2976-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

memory/2976-4-0x00000000059D0000-0x00000000059DA000-memory.dmp

memory/2976-5-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/2976-6-0x00000000086C0000-0x00000000086D2000-memory.dmp

memory/2976-7-0x000000007528E000-0x000000007528F000-memory.dmp

memory/2976-8-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/2976-9-0x0000000006CA0000-0x0000000006CB0000-memory.dmp

memory/2976-10-0x0000000006D00000-0x0000000006D8C000-memory.dmp

memory/2976-11-0x0000000006F80000-0x000000000701C000-memory.dmp

memory/2392-16-0x0000000004F00000-0x0000000004F36000-memory.dmp

memory/2392-18-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/2392-17-0x00000000055C0000-0x0000000005BE8000-memory.dmp

memory/2392-20-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/2392-22-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/2392-21-0x00000000054E0000-0x0000000005546000-memory.dmp

memory/2392-23-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/2392-19-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/2392-24-0x0000000075280000-0x0000000075A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5pkeg5s.znf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp16B0.tmp

MD5 ebd40643c05d1ed13d46336274166383
SHA1 82dd35a4aba85904c5c6b2db73f35a32367ec310
SHA256 585b5763f8c6eacd1d773fbb08a98504f100e33fcf880d681bf30661797674de
SHA512 373fe1fa477098df1037e46d241f2fb30b21710a1155ebfffc04379ed7b0cd5654218f70008eefa0afbd9f65699f3dc2a9f188f5cc9e06a143e8e87e5b126809

memory/1916-35-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2976-46-0x0000000075280000-0x0000000075A30000-memory.dmp

memory/2392-47-0x0000000006480000-0x000000000649E000-memory.dmp

memory/2392-48-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/2392-49-0x0000000007420000-0x0000000007452000-memory.dmp

memory/2392-50-0x0000000075B00000-0x0000000075B4C000-memory.dmp

memory/2392-62-0x0000000006A40000-0x0000000006A5E000-memory.dmp

memory/1608-60-0x0000000075B00000-0x0000000075B4C000-memory.dmp

memory/2392-71-0x0000000007460000-0x0000000007503000-memory.dmp

memory/1608-72-0x0000000008280000-0x00000000088FA000-memory.dmp

memory/2392-73-0x00000000077B0000-0x00000000077CA000-memory.dmp

memory/2392-74-0x0000000007830000-0x000000000783A000-memory.dmp

memory/1608-75-0x0000000007EC0000-0x0000000007F56000-memory.dmp

memory/1608-76-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/2392-77-0x00000000079E0000-0x00000000079EE000-memory.dmp

memory/2392-78-0x00000000079F0000-0x0000000007A04000-memory.dmp

memory/2392-79-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/1608-80-0x0000000007F60000-0x0000000007F68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 901d83117421071d78001923dc67e02d
SHA1 6e685004770388823ee1f3d24c904ff5492323e7
SHA256 b000edf92710e29ccac7f0ba3a79405d7c61b35e5d6400fa88cde2ae615fd16c
SHA512 2dbb39995afd3d7b822ab781d62d22c52ec8fbde29dd47989ef0e36f656c6ce3c0ff9554ace3721762d63aac711b73e2fcd0f4483d18c126d0a34f75d3ce12ae

memory/2392-86-0x0000000075280000-0x0000000075A30000-memory.dmp