Malware Analysis Report

2024-12-07 14:14

Sample ID 241115-cf3vwswhrg
Target 8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5
SHA256 8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5
Tags
agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5

Threat Level: Known bad

The file 8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

AgentTesla

Agenttesla family

AgentTesla payload

Drops file in Drivers directory

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 02:01

Reported

2024-11-15 02:04

Platform

win7-20241010-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 2324 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

"C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAhDFpkzATjOFr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20AA.tmp"

C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

"{path}"

Network

N/A

Files

memory/2324-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/2324-1-0x0000000000840000-0x00000000008DC000-memory.dmp

memory/2324-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2324-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/2324-4-0x000000007490E000-0x000000007490F000-memory.dmp

memory/2324-5-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2324-6-0x00000000052E0000-0x0000000005364000-memory.dmp

memory/2324-7-0x00000000005E0000-0x000000000061E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp20AA.tmp

MD5 612d76309eeda25c531e7600f65ca324
SHA1 84988181816b15253a1dc1fd8beb7fa773817933
SHA256 e60601394307d921530ffb30c1bbe922542c65e2a15c48f38ba60b6224a90bb8
SHA512 0ef7595ed366ceb36cd625a59af617c9815adf590df5e3862cfb78da5018b8d3ce80d9c1e0335a90828225c8393f60857b4ccc074a966fdc1e62c4751792e3f3

memory/1884-11-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-21-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-25-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-23-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1884-17-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-15-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-13-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1884-26-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2324-27-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1884-28-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1884-29-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/1884-30-0x0000000074900000-0x0000000074FEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 02:01

Reported

2024-11-15 02:04

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe
PID 4928 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

"C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAhDFpkzATjOFr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27D6.tmp"

C:\Users\Admin\AppData\Local\Temp\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4928-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/4928-1-0x0000000000150000-0x00000000001EC000-memory.dmp

memory/4928-2-0x00000000075E0000-0x0000000007B84000-memory.dmp

memory/4928-3-0x00000000070D0000-0x0000000007162000-memory.dmp

memory/4928-4-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4928-5-0x0000000004670000-0x000000000467A000-memory.dmp

memory/4928-6-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

memory/4928-7-0x0000000004D60000-0x0000000004DFC000-memory.dmp

memory/4928-8-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/4928-9-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4928-10-0x0000000005240000-0x00000000052C4000-memory.dmp

memory/4928-11-0x0000000005760000-0x000000000579E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp27D6.tmp

MD5 9a50b251b84bbe33aa93e61a1810e4e4
SHA1 3e5d3db2e6db5c40b133e096464dc1be2794eeab
SHA256 380b3dc375ce3b44135b3a93d85e4be1c2d334ae74606f174f973c69df97a5bb
SHA512 7b3e3aabe0a88a7bd08c0981d8e6b0fee521eed179ba7987866e52a559fa59c6f4171095ab33ebb672916aa67e82c8bae8101da090834cd9092a5d05d85ca115

memory/4076-15-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8391aae8c5d9970e3dc4de04a92850729c3e726f3281aacc9e4db306b4ac8cd5.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4076-18-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4928-19-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4076-20-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4076-21-0x00000000057E0000-0x00000000057F8000-memory.dmp

memory/4076-22-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/4076-23-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4076-24-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4076-27-0x00000000063F0000-0x0000000006440000-memory.dmp

memory/4076-28-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/4076-29-0x00000000749C0000-0x0000000075170000-memory.dmp