Analysis Overview
SHA256
b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f
Threat Level: Known bad
The file b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of SetWindowsHookEx
outlook_office_path
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-26 09:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-26 09:43
Reported
2022-03-27 08:51
Platform
win7-20220310-en
Max time kernel
4294178s
Max time network
128s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1452 set thread context of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
"C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
"C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.turkaykalibrasyon.com | udp |
| TR | 95.173.177.131:587 | mail.turkaykalibrasyon.com | tcp |
Files
memory/1452-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
memory/1452-55-0x00000000009B0000-0x0000000000A4C000-memory.dmp
memory/1700-56-0x0000000000000000-mapping.dmp
memory/920-57-0x000000000040188B-mapping.dmp
memory/776-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml
| MD5 | 64c93af47c479be893f61afbc7472015 |
| SHA1 | 400cd9cef7c8ab678063601c23c72453f1c10f16 |
| SHA256 | 5bc83f04478cccb2c3bb4934f73efa55b8603924f671fcd647712c71f68bbc27 |
| SHA512 | 500f5d3604859abdc602ad89fc4bf3cd4adfbce0c0d29714b17b473929d5b06cff67c4d44deed0166bc90a486d0c404f4e857073c4657efefaa2e431f8b64fe4 |
memory/920-61-0x00000000042F0000-0x0000000004376000-memory.dmp
memory/1320-62-0x0000000000000000-mapping.dmp
memory/920-64-0x0000000004399000-0x00000000043AA000-memory.dmp
memory/920-65-0x0000000005D80000-0x0000000005DBE000-memory.dmp
memory/920-66-0x0000000005E30000-0x0000000005EC0000-memory.dmp
memory/1320-67-0x000000006E790000-0x000000006ED3B000-memory.dmp
memory/1320-68-0x00000000025F0000-0x000000000323A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-26 09:43
Reported
2022-03-27 08:42
Platform
win10v2004-en-20220113
Max time kernel
130s
Max time network
156s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1160 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
"C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
"C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe'
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.5.254:80 | tcp | |
| NL | 8.248.5.254:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
Files
memory/1160-130-0x0000000000400000-0x000000000049C000-memory.dmp
memory/2720-131-0x0000000000000000-mapping.dmp
memory/2732-132-0x0000000000000000-mapping.dmp
memory/3320-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml
| MD5 | c673ecc050b1038f727be09aa61cb4b1 |
| SHA1 | d2960b6d62810ce8745f6353d6924ae79af01e7e |
| SHA256 | 8f2648a15094c455e21cab1ba01133d9d9d17caaab1bb2ee782da160898880e4 |
| SHA512 | d6b75c8068c3d9208585413f7a799f69b05e141446d09925f9aae34ac65c0745f37196ec3aeb369e2c8dea6ddfcc55c07fe8f227a06d79dfa408f3d2315c29e6 |
memory/2732-135-0x0000000005830000-0x00000000058C2000-memory.dmp
memory/2732-136-0x0000000005E80000-0x0000000006424000-memory.dmp
memory/2732-137-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/4088-138-0x0000000000000000-mapping.dmp
memory/4088-139-0x00000000047D0000-0x0000000004806000-memory.dmp
memory/4088-140-0x0000000004E40000-0x0000000005468000-memory.dmp
memory/4088-141-0x00000000054D0000-0x00000000054F2000-memory.dmp
memory/4088-142-0x0000000005670000-0x00000000056D6000-memory.dmp
memory/4088-143-0x0000000005D50000-0x0000000005D6E000-memory.dmp
memory/4088-144-0x0000000002445000-0x0000000002447000-memory.dmp
memory/4088-145-0x0000000007330000-0x00000000079AA000-memory.dmp
memory/4088-146-0x0000000006250000-0x000000000626A000-memory.dmp
memory/4088-147-0x0000000006F50000-0x0000000006FE6000-memory.dmp
memory/4088-148-0x0000000006EE0000-0x0000000006F02000-memory.dmp