Malware Analysis Report

2024-11-15 09:23

Sample ID 240828-rp618s1frf
Target 28082024_1423_28082024_Awb#7758797443.gz
SHA256 9e89c4d799affccea5da46e89ba0c8019f2dabf5dedd1d72940f25a7982f8544
Tags
lokibot collection credential_access discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e89c4d799affccea5da46e89ba0c8019f2dabf5dedd1d72940f25a7982f8544

Threat Level: Known bad

The file 28082024_1423_28082024_Awb#7758797443.gz was found to be: Known bad.

Malicious Activity Summary

lokibot collection credential_access discovery execution spyware stealer trojan

Lokibot

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-28 14:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-28 14:23

Reported

2024-08-28 14:25

Platform

win7-20240705-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 2124 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OJqUwQqOWsRbu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OJqUwQqOWsRbu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE91.tmp"

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

Network

Country Destination Domain Proto
NL 104.248.205.66:80 104.248.205.66 tcp
NL 104.248.205.66:80 104.248.205.66 tcp
NL 104.248.205.66:80 104.248.205.66 tcp
NL 104.248.205.66:80 104.248.205.66 tcp
NL 104.248.205.66:80 104.248.205.66 tcp

Files

memory/2124-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2124-1-0x0000000000100000-0x000000000019A000-memory.dmp

memory/2124-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2124-3-0x0000000004920000-0x00000000049AE000-memory.dmp

memory/2124-4-0x0000000000820000-0x0000000000838000-memory.dmp

memory/2124-5-0x000000007466E000-0x000000007466F000-memory.dmp

memory/2124-6-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2124-7-0x0000000004D00000-0x0000000004D62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPIH08CLXSMSL6PO2K6A.temp

MD5 f128c4d2bbbd1d404b317b16026f5194
SHA1 e74fc6504a8b29e11ec32c36c3a9d0b6277af959
SHA256 fac38dee45c4750d0c33ea30db2e1be78a8accc2e5d361e6c3f5e8408da0abd0
SHA512 5d77bddf466046f545972a357d5f7f06614bf9ccde353687eabf835e611e4b5e9746096098b8ae8fb44c6a32fc01f682855b0b94f4215ea1f4c045863f834b49

C:\Users\Admin\AppData\Local\Temp\tmpE91.tmp

MD5 61bc10855c10d993d665e7410f243d35
SHA1 2203bbd57adcdf2ca1c0f785acf96cf77f57ea18
SHA256 596d8ff7ad1eb1081afbdba1006a1e02856c25006c48ebc164ebd6088d83a4e5
SHA512 e82cc727f3eec38170d4501db4b43d260690dfee6f04a6d3e7c3a580006257184b917fc76d5184fcff5234d70cbb502f7ec89a17807f957cc61dce77bd4a3fcc

memory/2732-20-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-28-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-31-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2732-26-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-24-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-22-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-32-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2124-33-0x0000000074660000-0x0000000074D4E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2732-52-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2732-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-28 14:23

Reported

2024-08-28 14:25

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3324 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Windows\SysWOW64\schtasks.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe
PID 3324 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OJqUwQqOWsRbu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OJqUwQqOWsRbu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp"

C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe

"C:\Users\Admin\AppData\Local\Temp\Awb#7758797443.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 104.248.205.66:80 104.248.205.66 tcp
US 8.8.8.8:53 66.205.248.104.in-addr.arpa udp
NL 104.248.205.66:80 104.248.205.66 tcp
NL 104.248.205.66:80 104.248.205.66 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
NL 104.248.205.66:80 104.248.205.66 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3324-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/3324-1-0x0000000000530000-0x00000000005CA000-memory.dmp

memory/3324-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/3324-3-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/3324-4-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

memory/3324-5-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3324-6-0x0000000005490000-0x000000000551E000-memory.dmp

memory/3324-7-0x0000000006670000-0x0000000006688000-memory.dmp

memory/3324-8-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/3324-9-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3324-10-0x00000000062E0000-0x0000000006342000-memory.dmp

memory/3324-11-0x0000000008AC0000-0x0000000008B5C000-memory.dmp

memory/3192-16-0x00000000052B0000-0x00000000052E6000-memory.dmp

memory/3192-17-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3192-18-0x00000000059D0000-0x0000000005FF8000-memory.dmp

memory/3192-19-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3192-20-0x00000000748C0000-0x0000000075070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp

MD5 9e0b568f7d8630cc1670655659329946
SHA1 ee33ea4d895b051464d5b763ddd21e4005d3d09e
SHA256 cfeaadc041980389659211ea8b027d237c604700b0ea402f7dd83ef2ea2402da
SHA512 099dd4e6c036181d8107886e5a524247b56716e1a82bc2ae5ffbdf0d4b47a1eac47a9f5feeea1d0d5177c663f203e997681120040d16713a51bfe865fe6e6e81

memory/3192-23-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/3192-22-0x0000000006000000-0x0000000006022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nhvdekrm.4rv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3192-24-0x0000000006110000-0x0000000006176000-memory.dmp

memory/3840-31-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3840-38-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1756-37-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3192-36-0x0000000006370000-0x00000000066C4000-memory.dmp

memory/1756-35-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3840-41-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3324-40-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3192-51-0x0000000006880000-0x000000000689E000-memory.dmp

memory/3192-52-0x0000000006E30000-0x0000000006E7C000-memory.dmp

memory/3840-54-0x0000000075150000-0x000000007519C000-memory.dmp

memory/3840-53-0x0000000007430000-0x0000000007462000-memory.dmp

memory/3192-66-0x0000000075150000-0x000000007519C000-memory.dmp

memory/3840-75-0x0000000007470000-0x000000000748E000-memory.dmp

memory/3840-78-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/3192-79-0x00000000081F0000-0x000000000886A000-memory.dmp

memory/3840-80-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/3840-81-0x0000000007840000-0x000000000784A000-memory.dmp

memory/3192-82-0x0000000007E30000-0x0000000007EC6000-memory.dmp

memory/3192-83-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

memory/3192-84-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

memory/3840-85-0x0000000007A10000-0x0000000007A24000-memory.dmp

memory/3840-86-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/3192-87-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

memory/3192-90-0x00000000748C0000-0x0000000075070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13e101feb0d9ea11e8fc94d6d87c5559
SHA1 33aac0c6dec3dc29245dfad3dd620bb587b43fee
SHA256 d84636f574c01a1e34d5897589ede95407c81718937b89be31aea3370b1705ab
SHA512 44117ea2e39a52f2e7fdec6fd160bbb924a1421d43511a27cd84fd20a76812dd676b91103f6c097343e0fb13fdc982091a6583d3a8104029b939e3cceb04e7f5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3840-94-0x00000000748C0000-0x0000000075070000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\0f5007522459c86e95ffcc62f32308f1_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/1756-110-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1756-118-0x0000000000400000-0x00000000004A2000-memory.dmp