Malware Analysis Report

2024-11-30 14:50

Sample ID 240925-cbgrvsxgql
Target 61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
SHA256 61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0

Threat Level: Known bad

The file 61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 01:53

Reported

2024-09-25 01:56

Platform

win7-20240903-en

Max time kernel

120s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2444 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aXrHAJsui.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aXrHAJsui" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC23.tmp"

C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2444-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/2444-1-0x0000000000D40000-0x0000000000DF0000-memory.dmp

memory/2444-2-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/2444-3-0x00000000005C0000-0x00000000005D2000-memory.dmp

memory/2444-4-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/2444-5-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/2444-6-0x0000000005340000-0x00000000053CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 56e96a70cb8c38ebc421c9e887ab8468
SHA1 97066393d2ff17ed6c7757531981b9e6bf8c9d55
SHA256 3bc131662674a88aeef3397b73830f1fbd4b8ebd382fcf4813ee967eed19b54b
SHA512 6171354ecc0ed64f69b6ff36335ceb338a93392b9f79693df16b29fc52725f33dcc1ba7bf0c899e49682552dd146cb931707245596f38b851e675b0381fa475d

C:\Users\Admin\AppData\Local\Temp\tmpEC23.tmp

MD5 c9197d1e9186319ac046adfa418591e6
SHA1 dedcd677e1e4ea7a8814fa5c653efe0e65b3f734
SHA256 8640558b6a7f6f5e7a0f87a8195a2d5e478d10c526016ecd21770cab729f1207
SHA512 959b636679d07f9c02deef02b8d52c2767e0115cf46bafb022a108a6f2e8a6633b085f696ed476aaf225ecf45efbb1ec3b207fab350b43c75720328c27a9c5ac

memory/2796-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2796-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2796-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2444-31-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-25 01:53

Reported

2024-09-25 01:56

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe
PID 2996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aXrHAJsui.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aXrHAJsui" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8E0.tmp"

C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe

"C:\Users\Admin\AppData\Local\Temp\61273d957fcca98eed2c70d8475bc6f8dc9b637246e998727f6771a915c69bb0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2996-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/2996-1-0x0000000000480000-0x0000000000530000-memory.dmp

memory/2996-2-0x00000000053E0000-0x0000000005984000-memory.dmp

memory/2996-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/2996-4-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2996-5-0x00000000050D0000-0x00000000050DA000-memory.dmp

memory/2996-6-0x0000000005330000-0x0000000005342000-memory.dmp

memory/2996-7-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/2996-8-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2996-9-0x0000000008BB0000-0x0000000008C3C000-memory.dmp

memory/2996-10-0x000000000B410000-0x000000000B4AC000-memory.dmp

memory/2912-15-0x0000000004A20000-0x0000000004A56000-memory.dmp

memory/2912-17-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2912-18-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2912-16-0x00000000050D0000-0x00000000056F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB8E0.tmp

MD5 1ab159808c4694575230d5ac50de7ce8
SHA1 c86a9f36a5dad58d7d65dc1f8e281ea7a163b44a
SHA256 4f405c07b13e79ea6035a9a1766ade1b7766f7cd15cecbcef240b2e1f3348338
SHA512 2d1d4448c5216194afdb2ceb395ffb0c27ad5a1feda6beaf72a1d4ba8d65d2774d2c89d2bab5e662fd35bb9e8b88f1d9e2efb7523ac9c54cba44b241e3288477

memory/4984-20-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/4984-21-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2912-22-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/868-36-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4984-35-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2912-34-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/4984-38-0x0000000005930000-0x0000000005C84000-memory.dmp

memory/2996-39-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/2912-33-0x00000000058D0000-0x0000000005936000-memory.dmp

memory/4984-28-0x0000000005630000-0x0000000005652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0z1hav2.2hh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4984-49-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/4984-50-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/4984-53-0x0000000071040000-0x000000007108C000-memory.dmp

memory/2912-52-0x0000000071040000-0x000000007108C000-memory.dmp

memory/4984-51-0x0000000006F40000-0x0000000006F72000-memory.dmp

memory/2912-72-0x0000000007170000-0x000000000718E000-memory.dmp

memory/4984-73-0x0000000006F80000-0x0000000007023000-memory.dmp

memory/4984-75-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/2912-74-0x0000000007940000-0x0000000007FBA000-memory.dmp

memory/4984-76-0x0000000007150000-0x000000000715A000-memory.dmp

memory/2912-77-0x0000000007570000-0x0000000007606000-memory.dmp

memory/2912-78-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/2912-79-0x0000000007520000-0x000000000752E000-memory.dmp

memory/4984-80-0x0000000007320000-0x0000000007334000-memory.dmp

memory/2912-81-0x0000000007630000-0x000000000764A000-memory.dmp

memory/4984-82-0x0000000007400000-0x0000000007408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2baa41137b16970127c0c77861e7952d
SHA1 cb3ca6c95d0b70e436c990493cba266bc97ccca5
SHA256 848e96876edb3fc4ac33659c59fbc0ad731c4c346a6287f9d04446ad6c7f1ee8
SHA512 c906cabd1737314ecaa4c29f1ed3d7c48bef470740a5d070ab15803424a4646741e19767ec6fe8f2b28184621dddab260d0d3106f93a9a7f3bfeb88d11ee548c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2912-89-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/4984-88-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/868-90-0x0000000006370000-0x0000000006532000-memory.dmp

memory/868-91-0x0000000006210000-0x0000000006260000-memory.dmp