88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Size

80KB
MD5

40060de425545a1307eb02e2521c4b53
SHA1

686a4365ea6719d80d44a3514b821549527f4018
SHA256

88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d
SHA512

c4c66735f7b935d4f8d88fe8e8e31ed4c2a129b6f35a15d8fe1df12d9e98c2a7bbac3763b0c0daae065747b80f21649c67af560a85e988e25d7773896bbea36f
SSDEEP

1536:ev128ZrmB+RdtK4QjXvquct+beug5VSM8E0kVva3DKD:y2OgTjg5VS5ko3DKD

Score

10^/10

collection discovery execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4508 created 3416	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	56
PID 3240 created 3416	3240	stilkript.exe	56
PID 5796 created 3416	5796	Pygbskwjf.exe	56
PID 5292 created 3416	5292	STUB3kript.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1092	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eras.vbs	stilkript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncRoot.vbs	Pygbskwjf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fallback.vbs	STUB3kript.exe

Executes dropped EXE 3 IoCs

pid	Process
3240	stilkript.exe
5796	Pygbskwjf.exe
5292	STUB3kript.exe

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 3240 set thread context of 312	3240	stilkript.exe	89
PID 5796 set thread context of 3524	5796	Pygbskwjf.exe	95
PID 5292 set thread context of 5888	5292	STUB3kript.exe	101

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stilkript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pygbskwjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3236	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3236	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
3240	stilkript.exe
5796	Pygbskwjf.exe
5796	Pygbskwjf.exe
5796	Pygbskwjf.exe
5796	Pygbskwjf.exe
5292	STUB3kript.exe
1092	powershell.exe
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Token: SeDebugPrivilege	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
Token: SeDebugPrivilege	3240	stilkript.exe
Token: SeDebugPrivilege	4552	InstallUtil.exe
Token: SeDebugPrivilege	3240	stilkript.exe
Token: SeDebugPrivilege	312	InstallUtil.exe
Token: SeDebugPrivilege	5796	Pygbskwjf.exe
Token: SeDebugPrivilege	5796	Pygbskwjf.exe
Token: SeDebugPrivilege	5292	STUB3kript.exe
Token: SeDebugPrivilege	5292	STUB3kript.exe
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3240	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	84
PID 4508 wrote to memory of 3240	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	84
PID 4508 wrote to memory of 3240	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	84
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 4508 wrote to memory of 4552	4508	88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe	85
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 3240 wrote to memory of 312	3240	stilkript.exe	89
PID 312 wrote to memory of 5796	312	InstallUtil.exe	93
PID 312 wrote to memory of 5796	312	InstallUtil.exe	93
PID 312 wrote to memory of 5796	312	InstallUtil.exe	93
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 5796 wrote to memory of 3524	5796	Pygbskwjf.exe	95
PID 4552 wrote to memory of 936	4552	InstallUtil.exe	96
PID 4552 wrote to memory of 936	4552	InstallUtil.exe	96
PID 4552 wrote to memory of 936	4552	InstallUtil.exe	96
PID 936 wrote to memory of 1772	936	cmd.exe	98
PID 936 wrote to memory of 1772	936	cmd.exe	98
PID 936 wrote to memory of 1772	936	cmd.exe	98
PID 936 wrote to memory of 3236	936	cmd.exe	99
PID 936 wrote to memory of 3236	936	cmd.exe	99
PID 936 wrote to memory of 3236	936	cmd.exe	99
PID 936 wrote to memory of 5292	936	cmd.exe	100
PID 936 wrote to memory of 5292	936	cmd.exe	100
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5292 wrote to memory of 5888	5292	STUB3kript.exe	101
PID 5888 wrote to memory of 2312	5888	InstallUtil.exe	102
PID 5888 wrote to memory of 2312	5888	InstallUtil.exe	102
PID 2312 wrote to memory of 1092	2312	cmd.exe	104
PID 2312 wrote to memory of 1092	2312	cmd.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe
  "C:\Users\Admin\AppData\Local\Temp\88f340643cb029167d027a28af60309f28ca5f11b55dd397795a5bcd442ab35d.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\stilkript.exe
    "C:\Users\Admin\AppData\Local\Temp\stilkript.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3azkjlbUtyFw.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3236
  - - C:\Users\Admin\AppData\Roaming\STUB3kript.exe
      "C:\Users\Admin\AppData\Roaming\STUB3kript.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\Pygbskwjf.exe
    "C:\Users\Admin\AppData\Local\Temp\Pygbskwjf.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5888
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Folder1'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Folder1'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
1KB

MD5
9a0ef0e3ffe71dbbe73bbc2a73213cea

SHA1
3015608c23afb25470d2449819f415355db2397c

SHA256
b51d5b2511f7918e82b13c32902466ca2be7bd6a3e025b81324a7aa570444612

SHA512
400805b48dee34b01f2cddb9409e6cae988e692acce15e727223e8386c28bbbe0b5fa7c5015e0fcc71223a5a592fe31f9cb04d78d8bc0f0fb5ddf8722a4214d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3azkjlbUtyFw.bat

Filesize
173B

MD5
d01709ca6c8bbb6e260e75ff6294fe4a

SHA1
eb8ce46a14d93e57a9f8f74de5511826cad952e6

SHA256
11e2b5308192819128577b36f48df55688adb1a1cd627be570e23703e88eab41

SHA512
b8b9bd350227e42eed04f5e0f79c2339db14989bb2d86eff0e1e5cdaa671d408e7c1ac8f455e7c18417be242436bd7381ced493538a204edf87b82c443325be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pygbskwjf.exe

Filesize
182KB

MD5
5d2e9f2a0aedf4232747174b665c0971

SHA1
66ed9454b15f09a3f73c3e330bb97085e10f67b3

SHA256
59d0075f53e1644a2128421155c9b368a15922f420f71e10431e28bd04c46086

SHA512
54be9e4fbe34dcfba6daddd20c934c37172ae1de3505357bb2c4191e686fe52ac02efee66f545d7645a57923e2936219a706cfd0fcec1af707b3eb91e2af99ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yknm2hiq.usp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\stilkript.exe

Filesize
79KB

MD5
13bbcfdfa76727df3566d9b279407b4b

SHA1
8f042048de38fd1d4b411a18e041812cf9ea4d62

SHA256
8c65351a7b2c2f1d3f314e30cf1619d4fb4bd9e9792514cfa6fb15761a38332d

SHA512
b3dfb5e75ba4351334d1e26dfa61e1bda7b84c5b8644e0ba8fd1ebb68f7d34fa104f0db3acccde8bf4663a13228fe4b75a4b84ba6a3467c7a3af0d1e28da8b68

Download Submit
C:\Users\Admin\AppData\Roaming\STUB3kript.exe

Filesize
2.4MB

MD5
c1892b00f069a675d70ff0f98fbf2442

SHA1
a21d4baff0f02f8a1b365c9d4e73c01a86336d26

SHA256
1dcf6e44bd8dce0aea1fa0195cb66d82130d2188a5c71a20eeb6fa66b2512b00

SHA512
f948c36eba9b841e09ab8d2c4f3a97c9142be5ec87a1271b6918d73841cdd0cfc8a76e9cbb1567ff65122092696c20e44b3e2dec3e58670e3da88630cf77880e

Download Submit
memory/312-10273-0x0000000006AA0000-0x0000000006AF0000-memory.dmp

Filesize
320KB

Download
memory/312-5248-0x00000000052F0000-0x000000000531C000-memory.dmp

Filesize
176KB

Download
memory/312-2352-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/312-10272-0x0000000006A30000-0x0000000006A42000-memory.dmp

Filesize
72KB

Download
memory/312-2350-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/312-5249-0x0000000005740000-0x0000000005832000-memory.dmp

Filesize
968KB

Download
memory/1092-12462-0x000002906DDE0000-0x000002906DE02000-memory.dmp

Filesize
136KB

Download
memory/3240-2351-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3240-2342-0x0000000006DB0000-0x0000000006E6A000-memory.dmp

Filesize
744KB

Download
memory/3240-1191-0x0000000006960000-0x0000000006AAA000-memory.dmp

Filesize
1.3MB

Download
memory/3240-1171-0x0000000000E20000-0x0000000000E3A000-memory.dmp

Filesize
104KB

Download
memory/3240-1177-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3240-1174-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3524-11362-0x0000000005470000-0x000000000552C000-memory.dmp

Filesize
752KB

Download
memory/3524-11361-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4508-49-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-23-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-47-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-1157-0x0000000006C60000-0x0000000006D0E000-memory.dmp

Filesize
696KB

Download
memory/4508-1158-0x0000000006BA0000-0x0000000006BEC000-memory.dmp

Filesize
304KB

Download
memory/4508-45-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-43-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-33-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-31-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-29-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-27-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4508-1170-0x0000000007550000-0x00000000075A4000-memory.dmp

Filesize
336KB

Download
memory/4508-51-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-53-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-1181-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-1183-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-1-0x0000000000960000-0x000000000097A000-memory.dmp

Filesize
104KB

Download
memory/4508-2-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-3-0x0000000006720000-0x0000000006860000-memory.dmp

Filesize
1.2MB

Download
memory/4508-4-0x0000000006E40000-0x00000000073E4000-memory.dmp

Filesize
5.6MB

Download
memory/4508-5-0x0000000006990000-0x0000000006A22000-memory.dmp

Filesize
584KB

Download
memory/4508-1186-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-1184-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4508-1178-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-63-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-26-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-17-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-15-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-13-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-11-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-1156-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4508-21-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-9-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-7-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-6-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-35-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-37-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-39-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-55-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-57-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-19-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-59-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-61-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-41-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-69-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-65-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4508-67-0x0000000006720000-0x0000000006859000-memory.dmp

Filesize
1.2MB

Download
memory/4552-1189-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4552-1190-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4552-1185-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4552-1188-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/4552-5875-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4552-5090-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4552-1187-0x0000000005110000-0x00000000051CE000-memory.dmp

Filesize
760KB

Download
memory/4552-11364-0x0000000006D00000-0x0000000006DF4000-memory.dmp

Filesize
976KB

Download
memory/4552-6795-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/5292-11374-0x0000023F55450000-0x0000023F556C2000-memory.dmp

Filesize
2.4MB

Download
memory/5292-11376-0x0000023F6FDC0000-0x0000023F6FEC8000-memory.dmp

Filesize
1.0MB

Download
memory/5292-11375-0x0000023F6FC40000-0x0000023F6FD52000-memory.dmp

Filesize
1.1MB

Download
memory/5292-12451-0x0000023F70F80000-0x0000023F70FFC000-memory.dmp

Filesize
496KB

Download
memory/5796-10278-0x00000000006F0000-0x0000000000724000-memory.dmp

Filesize
208KB

Download
memory/5796-11354-0x0000000006AA0000-0x0000000006B46000-memory.dmp

Filesize
664KB

Download
memory/5796-10279-0x00000000066F0000-0x0000000006822000-memory.dmp

Filesize
1.2MB

Download