Malware Analysis Report

2025-05-28 18:48

Sample ID 241117-kglxrsvnd1
Target 9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d
SHA256 9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d
Tags
collection discovery execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d

Threat Level: Likely malicious

The file 9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d was found to be: Likely malicious.

Malicious Activity Summary

collection discovery execution spyware stealer

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:34

Reported

2024-11-17 08:36

Platform

win7-20240903-en

Max time kernel

117s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2400 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2400 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2400 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2400 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2400 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIlApjvRxj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6854.tmp"

C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp

Files

memory/2400-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/2400-1-0x0000000000AE0000-0x0000000000B6E000-memory.dmp

memory/2400-2-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2400-3-0x0000000000410000-0x000000000042E000-memory.dmp

memory/2400-4-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/2400-5-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2400-6-0x0000000000370000-0x00000000003CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f031b3ff4b800f1b3fbda22af78e403c
SHA1 d883e5b5a0eaa0dca874959f6985f8cb9f5fee37
SHA256 1c2b8a208688576b6deb02fbc3b3d372b2ddaa129823c0679ba93c832af06a62
SHA512 060f27cbff8bbfd52a8214590257afbc2979455cc5bafe87f37b5d77378a776fdeae710fa5ebb895457c3572c9970cfb86a64852dd498e50d3ad6bafaf273d48

C:\Users\Admin\AppData\Local\Temp\tmp6854.tmp

MD5 ec78c79e5a086093917caf25a7f7a76b
SHA1 7e90490af665adad4056fc4834b01fa10d9e1f51
SHA256 bfd23f33c2393b0f08005acaf73d96ddec32ecd69a64c7e78e61f4c0329d4ab2
SHA512 512c964cda3c80addc16c06b026d774c8c2c206db0e562910780826cedc4e1b77e237d793fc4c204f6163f1eba8d9fd3278ff536291ca2f7d2566223e00c49de

memory/1480-30-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-29-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-28-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1480-25-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-23-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-21-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1480-19-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2400-31-0x0000000073F20000-0x000000007460E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:34

Reported

2024-11-17 08:36

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe
PID 2244 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIlApjvRxj.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp"

C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe

"C:\Users\Admin\AppData\Local\Temp\9155862979f292ea527e4107a7143bd9b54c66511a1aa1b04a06f924a4ed901d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2244-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/2244-1-0x0000000000680000-0x000000000070E000-memory.dmp

memory/2244-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

memory/2244-3-0x0000000005140000-0x00000000051D2000-memory.dmp

memory/2244-4-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2244-5-0x0000000005110000-0x000000000511A000-memory.dmp

memory/2244-6-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/2244-7-0x0000000007EB0000-0x0000000007ECE000-memory.dmp

memory/2244-8-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/2244-9-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2244-10-0x0000000002A00000-0x0000000002A5E000-memory.dmp

memory/3824-15-0x0000000004EE0000-0x0000000004F16000-memory.dmp

memory/3824-17-0x0000000005550000-0x0000000005B78000-memory.dmp

memory/3824-16-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3824-18-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3824-19-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/4648-20-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/4648-21-0x00000000749D0000-0x0000000075180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp

MD5 91239ad8fd09f7aeaa57ddfdbe8cdaec
SHA1 34dc61ea1ef3fd5d2cca830ec7d223954a16bbf5
SHA256 c4c1f47aa6460028a61017e1c9ebfdafeb1c0d3a81879f57a3a0baabd1a36422
SHA512 56c70b70fde020d41eb7046982fe10c93d3ff04e256f7f5ffb7a3796c28898b2613f7f4cb6cfd5a95249acda004c9d6a416ad7c28aa202980404665057653b75

memory/4648-22-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3824-26-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/3824-25-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/3824-24-0x00000000054B0000-0x00000000054D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqzrgg3i.5jo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3824-42-0x0000000005E40000-0x0000000006194000-memory.dmp

memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2244-48-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/4648-49-0x0000000005C60000-0x0000000005C7E000-memory.dmp

memory/4648-50-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/4648-51-0x00000000061B0000-0x00000000061E2000-memory.dmp

memory/4648-62-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/4648-52-0x0000000071140000-0x000000007118C000-memory.dmp

memory/4648-63-0x0000000006C30000-0x0000000006CD3000-memory.dmp

memory/3824-64-0x0000000071140000-0x000000007118C000-memory.dmp

memory/4648-74-0x0000000007560000-0x0000000007BDA000-memory.dmp

memory/4648-75-0x0000000006F10000-0x0000000006F2A000-memory.dmp

memory/4648-76-0x0000000006F80000-0x0000000006F8A000-memory.dmp

memory/4648-77-0x0000000007190000-0x0000000007226000-memory.dmp

memory/4648-78-0x0000000007110000-0x0000000007121000-memory.dmp

memory/4648-79-0x0000000007180000-0x000000000718E000-memory.dmp

memory/4648-80-0x0000000007270000-0x0000000007284000-memory.dmp

memory/3824-81-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/3824-82-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cc523d4e205c6a4e30c80810bce744b0
SHA1 c220ba735a5ec06fe0187138905d2b5010b1c74f
SHA256 db8692e9c67eaee3778043c7436dabfc358a974af6b1e80b0c546443e20e9e6f
SHA512 4ef87047252e24d96b19d92f079c2edc0f3eb9e0007d867783888fcc86f4bd8fe28527a04bb81d81ede4f88cb9c700476311451a0d4fe8c289eebd56750cee3c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4648-88-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3824-89-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2948-90-0x0000000006B30000-0x0000000006B80000-memory.dmp

memory/2948-91-0x0000000006E50000-0x0000000007012000-memory.dmp