Malware Analysis Report

2025-04-14 05:14

Sample ID 201202-tcqh8wpk6s
Target 52b1565bb8a50701d219f361929ea870.exe
SHA256 9b1d91114fdc8c143afbedc2475e69a539c81d19eeee4ba9301da81b794efaf7
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b1d91114fdc8c143afbedc2475e69a539c81d19eeee4ba9301da81b794efaf7

Threat Level: Known bad

The file 52b1565bb8a50701d219f361929ea870.exe was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger Main Payload

MassLogger

Modifies system executable filetype association

Beds Protector Packer

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-02 15:30

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-02 15:30

Reported

2020-12-02 15:32

Platform

win10v20201028

Max time kernel

58s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Temp\GUMED0D.tmp\GOFB2B~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\Install\{B130F~1\CR_2BD8F.tmp\setup.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 3084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 3084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 2768 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 4072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:80 api.ipify.org tcp
N/A 8.8.8.8:53 slips11.ca udp
N/A 107.189.2.185:80 slips11.ca tcp

Files

memory/2768-2-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/2768-5-0x0000000072E50000-0x000000007353E000-memory.dmp

memory/2768-6-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2768-8-0x0000000005850000-0x0000000005851000-memory.dmp

memory/2768-9-0x0000000005350000-0x0000000005351000-memory.dmp

memory/2768-10-0x0000000005460000-0x00000000054EA000-memory.dmp

memory/2768-11-0x0000000005790000-0x0000000005791000-memory.dmp

memory/4072-12-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/4072-13-0x0000000000481ABE-mapping.dmp

memory/4072-15-0x0000000072E50000-0x000000007353E000-memory.dmp

memory/4072-20-0x00000000064D0000-0x00000000064D1000-memory.dmp

memory/1612-21-0x0000000000000000-mapping.dmp

memory/4072-22-0x0000000006F70000-0x0000000006F71000-memory.dmp

memory/1612-23-0x0000000072E50000-0x000000007353E000-memory.dmp

memory/4072-24-0x0000000006A60000-0x0000000006A61000-memory.dmp

memory/1612-26-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/1612-27-0x0000000007840000-0x0000000007841000-memory.dmp

memory/1612-28-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

memory/1612-29-0x0000000007F80000-0x0000000007F81000-memory.dmp

memory/1612-31-0x00000000082B0000-0x00000000082B1000-memory.dmp

memory/1612-32-0x0000000008620000-0x0000000008621000-memory.dmp

memory/1612-33-0x0000000008660000-0x0000000008661000-memory.dmp

memory/1612-34-0x0000000008970000-0x0000000008971000-memory.dmp

memory/1612-36-0x00000000096C0000-0x00000000096F3000-memory.dmp

memory/1612-43-0x00000000096A0000-0x00000000096A1000-memory.dmp

memory/1612-44-0x00000000098B0000-0x00000000098B1000-memory.dmp

memory/1612-45-0x0000000009C00000-0x0000000009C01000-memory.dmp

memory/1612-46-0x00000000074A0000-0x00000000074A1000-memory.dmp

memory/1612-48-0x0000000007490000-0x0000000007491000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-02 15:30

Reported

2020-12-02 15:32

Platform

win7v20201028

Max time kernel

122s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1168 set thread context of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Temp\GUMCEA4.tmp\GOFB2B~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\Install\{A281F~1\CR_02A57.tmp\setup.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1992 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1992 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1992 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1168 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe
PID 1928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\52b1565bb8a50701d219f361929ea870.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.252.4:80 api.ipify.org tcp
N/A 8.8.8.8:53 slips11.ca udp
N/A 107.189.2.185:80 slips11.ca tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/1168-3-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/1168-6-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/1168-7-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/1168-9-0x0000000000AB0000-0x0000000000B3A000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

\PROGRA~2\Google\Temp\GUMCEA4.tmp\GOFB2B~1.EXE

MD5 583ff3367e050c4d62bc03516473b40a
SHA1 6aa1d26352b78310e711884829c35a69ed1bf0f9
SHA256 6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146
SHA512 e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE

MD5 583ff3367e050c4d62bc03516473b40a
SHA1 6aa1d26352b78310e711884829c35a69ed1bf0f9
SHA256 6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146
SHA512 e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/1928-16-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-17-0x0000000000481ABE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\52b1565bb8a50701d219f361929ea870.exe

MD5 8325f164767ee76aa5fe314914e67cb7
SHA1 d60f85eae165b398d0e41a3c5e6ea4e0b3a365fd
SHA256 e39588fe9bd20889b58e8e639ff529daa9c2728b5eb9a4acf55c12c90d06d102
SHA512 0c8eda1b97b5883535d96c8a687816ed7793d54b7dbc6c8597136ae52e35b223414d619e8d1559fefaebec04c106da6a82224bf56387319fb1f7ae44267eec07

memory/1928-19-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-20-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1928-21-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/568-24-0x0000000000000000-mapping.dmp

memory/568-25-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/568-26-0x0000000001D10000-0x0000000001D11000-memory.dmp

memory/568-27-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/568-28-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/568-29-0x0000000004950000-0x0000000004951000-memory.dmp

memory/568-32-0x0000000005670000-0x0000000005671000-memory.dmp

memory/568-37-0x0000000005730000-0x0000000005731000-memory.dmp

memory/568-38-0x0000000005790000-0x0000000005791000-memory.dmp

memory/568-45-0x0000000006240000-0x0000000006241000-memory.dmp

memory/568-46-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/568-60-0x0000000006300000-0x0000000006301000-memory.dmp

memory/568-61-0x0000000006310000-0x0000000006311000-memory.dmp