Malware Analysis Report

2025-04-14 05:12

Sample ID 201224-b2rlkhrj92
Target OOCLU57731000013.xls.exe
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd

Threat Level: Known bad

The file OOCLU57731000013.xls.exe was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-24 14:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-24 14:20

Reported

2020-12-24 14:22

Platform

win7v20201028

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 788 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1648 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1648 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1648 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1648 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1648 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1648 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1648 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1964 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe

"C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe"

C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp816F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:80 api.ipify.org tcp

Files

memory/788-2-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/788-3-0x00000000010F0000-0x00000000010F1000-memory.dmp

memory/788-5-0x00000000002A0000-0x00000000002A4000-memory.dmp

memory/788-6-0x0000000005EB0000-0x0000000005F4E000-memory.dmp

memory/656-7-0x0000000000400000-0x0000000000486000-memory.dmp

memory/656-8-0x000000000048149E-mapping.dmp

memory/656-9-0x0000000000400000-0x0000000000486000-memory.dmp

memory/656-10-0x0000000000400000-0x0000000000486000-memory.dmp

memory/656-11-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/1136-14-0x0000000000000000-mapping.dmp

memory/1596-15-0x0000000000000000-mapping.dmp

memory/1136-16-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/1136-17-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/1648-18-0x0000000000000000-mapping.dmp

memory/1296-19-0x0000000000000000-mapping.dmp

memory/1136-20-0x0000000004930000-0x0000000004931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp816F.tmp.bat

MD5 f4c4a0186a46aad34e511d45c18a8407
SHA1 16e87144ef500c85821e5895c1db9aa2d63c38b6
SHA256 c9509a312e3cb56cb72b7a7063ce1455436be8a76797601486116fdf50a47049
SHA512 3d5b38f894e8f7fd03d6678dcf89f3f2ebcada8cad1b8100f6b9cf4761f408909785653ded0ca052ce20e2e45ba5f30fb930488ed85bda4acd9fc220331555cc

memory/1672-22-0x0000000000000000-mapping.dmp

memory/1136-23-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1136-24-0x0000000002860000-0x0000000002861000-memory.dmp

memory/1136-27-0x0000000005650000-0x0000000005651000-memory.dmp

\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

memory/1964-31-0x0000000000000000-mapping.dmp

memory/1964-32-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

memory/1964-36-0x0000000074DA0000-0x000000007548E000-memory.dmp

memory/1964-38-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/1136-41-0x0000000006040000-0x0000000006041000-memory.dmp

memory/1136-42-0x00000000061A0000-0x00000000061A1000-memory.dmp

memory/1136-49-0x0000000006280000-0x0000000006281000-memory.dmp

memory/1136-50-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/1136-64-0x0000000006300000-0x0000000006301000-memory.dmp

memory/1136-65-0x0000000006310000-0x0000000006311000-memory.dmp

memory/1736-68-0x000000000048149E-mapping.dmp

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

memory/1736-72-0x0000000074D20000-0x000000007540E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-24 14:20

Reported

2020-12-24 14:22

Platform

win10v20201028

Max time kernel

139s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4648 set thread context of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 1480 set thread context of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 4648 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe
PID 3956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4416 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4416 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4436 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4416 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 4416 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 4416 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1480 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe
PID 1280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe

"C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe"

C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OOCLU57731000013.xls.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A5A.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"'

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

"C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe"

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe'

Network

Country Destination Domain Proto
N/A 52.114.133.61:443 tcp
N/A 52.109.8.21:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.83.248:80 api.ipify.org tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:80 api.ipify.org tcp

Files

memory/4648-2-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/4648-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/4648-5-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

memory/4648-6-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4648-7-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4648-8-0x0000000008D00000-0x0000000008D01000-memory.dmp

memory/4648-9-0x0000000005B70000-0x0000000005B74000-memory.dmp

memory/4648-10-0x0000000009020000-0x00000000090BE000-memory.dmp

memory/3956-11-0x0000000000400000-0x0000000000486000-memory.dmp

memory/3956-12-0x000000000048149E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OOCLU57731000013.xls.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/3956-14-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/3956-19-0x0000000006840000-0x0000000006841000-memory.dmp

memory/1868-20-0x0000000000000000-mapping.dmp

memory/1868-22-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/1868-23-0x0000000003460000-0x0000000003461000-memory.dmp

memory/1868-24-0x0000000007970000-0x0000000007971000-memory.dmp

memory/4436-25-0x0000000000000000-mapping.dmp

memory/4416-26-0x0000000000000000-mapping.dmp

memory/1868-27-0x0000000007690000-0x0000000007691000-memory.dmp

memory/1868-28-0x0000000007730000-0x0000000007731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A5A.tmp.bat

MD5 40146b5c0ace3494d0564b5cbe84c23c
SHA1 376bad085414544ebda348be39f899f6f65ae201
SHA256 95601ae86cc41b44f770274ef383a93c2d02f0f91a11eef09a65cff3f7a83167
SHA512 909178ffbea3048135099c38c6f5768a4973232697e983b1520f0107fb369a5e6f560998cc03a3d969318f428d68d009cda78527417dca1476408345e084c582

memory/852-32-0x0000000000000000-mapping.dmp

memory/1868-31-0x00000000080A0000-0x00000000080A1000-memory.dmp

memory/996-33-0x0000000000000000-mapping.dmp

memory/1868-34-0x0000000007830000-0x0000000007831000-memory.dmp

memory/1868-35-0x0000000008810000-0x0000000008811000-memory.dmp

memory/1868-36-0x00000000086A0000-0x00000000086A1000-memory.dmp

memory/1868-38-0x0000000009720000-0x0000000009753000-memory.dmp

memory/1868-45-0x00000000094C0000-0x00000000094C1000-memory.dmp

memory/1868-46-0x0000000009850000-0x0000000009851000-memory.dmp

memory/1868-47-0x0000000009A50000-0x0000000009A51000-memory.dmp

memory/1480-48-0x0000000000000000-mapping.dmp

memory/1480-52-0x0000000073E30000-0x000000007451E000-memory.dmp

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

memory/1480-49-0x0000000000000000-mapping.dmp

memory/1868-60-0x00000000099B0000-0x00000000099B1000-memory.dmp

memory/1868-62-0x0000000009990000-0x0000000009991000-memory.dmp

memory/1280-66-0x000000000048149E-mapping.dmp

C:\Users\Admin\AppData\Roaming\vilan\nslookup.exe

MD5 7c3df39bc1a99d5b392330206083461b
SHA1 7f60f5dc06d5f4a91d606312747bbc770226bbb3
SHA256 14836e19f657b3a82b1f58dfb846ff1eb66f72ea7eb9b840c2de4b2ceeddcddd
SHA512 3cab1494e1a137045c0b7eb005c169fb56b26efc7754b80ff44090502c11a4f96d36b0bd403cc309e0b9fca4220bad4cdcaa8b6905483fbb9d4ec000964c9985

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nslookup.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/1280-69-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/2608-75-0x0000000000000000-mapping.dmp

memory/1280-77-0x0000000007220000-0x0000000007221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/2608-80-0x0000000073E30000-0x000000007451E000-memory.dmp

memory/2608-86-0x0000000008360000-0x0000000008361000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 769b5c4eeb60575e1ca180944908df1f
SHA1 5184105a0b15e2de71c6792c7aea818acfae336f
SHA256 c63b9fb0a840fb3a097bd41e9d99fa52e64aa704f3ee6569027bb02779f623eb
SHA512 0241e1589e1448e982f673fdc555dafe29955953e966291fd2407bf128b5a6cfdbd2b2833a4c2804bed9d4c4cd47f8673e20f63d0bf76122dfe0e86c80f45a16

memory/2608-89-0x0000000008D20000-0x0000000008D21000-memory.dmp

memory/2608-100-0x0000000009C70000-0x0000000009C71000-memory.dmp