Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-dyw1qswgnj
Target af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
SHA256 af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c

Threat Level: Known bad

The file af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Vipkeylogger family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:25

Reported

2024-11-09 03:28

Platform

win7-20241010-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2900 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oqRwcWctcQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oqRwcWctcQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF52.tmp"

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2900-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/2900-1-0x0000000000280000-0x000000000035C000-memory.dmp

memory/2900-2-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-3-0x0000000000660000-0x000000000067C000-memory.dmp

memory/2900-4-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/2900-5-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-6-0x0000000005AA0000-0x0000000005B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF52.tmp

MD5 2cc321d55cde18a8e7129dd8c69165b6
SHA1 9e9113f0fcef32bcbfdc66608445c4aef8761d57
SHA256 7b9dfbaaa2c889ae1a0c66546c6f15f36471cb60a5541018b4c7125147375d9a
SHA512 d244e7aa7ff7fd8d27e0c9b03db468c6d10827e5665d75b095a23801e34d294e3a6d9cb56a048ef9d85d2ff5993509ee3ebd5fd7b501ccced6ac1864df28f1de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d017103b893137e3500c571ddcc72d35
SHA1 8c9e8bdcb1e3c7fef0d97a499225a494d97119ba
SHA256 4de4a1adac51f40d7387824e8e980c583108978cad38ed0e12b06dcf7046320f
SHA512 2c7f7988df4125fd9bcdef3b33eba8c6431cfc81b979f9e71cbdb85559c42834371c2ab28aac7f2a30ff71176124d61d5f763781a77f943c31d4f501105e92a6

memory/2748-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2748-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2748-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2900-31-0x0000000074B20000-0x000000007520E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:25

Reported

2024-11-09 03:28

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2800 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe
PID 2800 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oqRwcWctcQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oqRwcWctcQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE80.tmp"

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

"C:\Users\Admin\AppData\Local\Temp\af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2800-0-0x000000007514E000-0x000000007514F000-memory.dmp

memory/2800-1-0x0000000000B10000-0x0000000000BEC000-memory.dmp

memory/2800-2-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/2800-3-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/2800-6-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2800-5-0x0000000005870000-0x000000000590C000-memory.dmp

memory/2800-4-0x0000000005670000-0x000000000567A000-memory.dmp

memory/2800-7-0x0000000005A40000-0x0000000005A5C000-memory.dmp

memory/2800-8-0x000000007514E000-0x000000007514F000-memory.dmp

memory/2800-9-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2800-10-0x0000000004F40000-0x0000000004FCC000-memory.dmp

memory/2704-16-0x0000000002260000-0x0000000002296000-memory.dmp

memory/2704-15-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2704-18-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2704-17-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/4928-19-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2704-22-0x0000000005530000-0x0000000005596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAE80.tmp

MD5 1013a46c44a031291d1212d3aa21a2b1
SHA1 4a14bbd2011f325ff44321d156a3e721a1c7c38d
SHA256 e77f697f3e3957c00bbfb3aa2bd5fd845c7a7dd3b4d386c5e6ea871c66b3cd3f
SHA512 1af6e16cd8ee7725f9e28f94b6ab869a862ee4344ba011fdb953052f2bf01c292e761b1630896c5fcf7ca86e53d7609b8aeb9ac106105839f9eff2d856580c3f

memory/4928-24-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2704-21-0x00000000054C0000-0x0000000005526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hz544er1.i22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2704-34-0x00000000055A0000-0x00000000058F4000-memory.dmp

memory/2704-20-0x0000000005420000-0x0000000005442000-memory.dmp

memory/4200-35-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2800-46-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/2704-48-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

memory/2704-47-0x0000000005B70000-0x0000000005B8E000-memory.dmp

memory/2704-71-0x0000000006D90000-0x0000000006E33000-memory.dmp

memory/2704-66-0x0000000006150000-0x000000000616E000-memory.dmp

memory/4928-51-0x0000000071860000-0x00000000718AC000-memory.dmp

memory/2704-50-0x0000000071860000-0x00000000718AC000-memory.dmp

memory/2704-49-0x0000000006B50000-0x0000000006B82000-memory.dmp

memory/2704-72-0x00000000074E0000-0x0000000007B5A000-memory.dmp

memory/2704-73-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

memory/2704-74-0x0000000006F10000-0x0000000006F1A000-memory.dmp

memory/2704-75-0x0000000007120000-0x00000000071B6000-memory.dmp

memory/4928-76-0x00000000070D0000-0x00000000070E1000-memory.dmp

memory/2704-77-0x00000000070D0000-0x00000000070DE000-memory.dmp

memory/2704-78-0x00000000070E0000-0x00000000070F4000-memory.dmp

memory/2704-79-0x00000000071E0000-0x00000000071FA000-memory.dmp

memory/4928-80-0x00000000071F0000-0x00000000071F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2704-84-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4928-85-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4200-86-0x0000000006D50000-0x0000000006F12000-memory.dmp

memory/4200-87-0x0000000006BF0000-0x0000000006C40000-memory.dmp