Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-rbsaxsdee3
Target 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9

Threat Level: Known bad

The file 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 14:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 14:01

Reported

2022-03-27 16:58

Platform

win7-20220311-en

Max time kernel

4294194s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1608 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1248 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1344 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1344 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1344 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1344 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 1672 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sre\src.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/1608-54-0x0000000000190000-0x00000000002A4000-memory.dmp

memory/1608-55-0x00000000004B0000-0x00000000004CC000-memory.dmp

memory/1608-56-0x0000000005290000-0x0000000005350000-memory.dmp

memory/1608-57-0x00000000008C0000-0x00000000008CA000-memory.dmp

memory/1608-58-0x0000000005550000-0x00000000055D8000-memory.dmp

memory/1248-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-64-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-65-0x00000000004816BE-mapping.dmp

memory/1248-67-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1248-69-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1492-70-0x0000000000000000-mapping.dmp

memory/1492-71-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/1048-72-0x0000000000000000-mapping.dmp

memory/1344-73-0x0000000000000000-mapping.dmp

memory/1248-74-0x0000000004CA5000-0x0000000004CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp.bat

MD5 407ac321db76477ad8b09c6fd85a146d
SHA1 7fa6e437b1c7a7dae03d40fbfa7814f464459fdc
SHA256 8bc3b29ee6b2d533cc7ff3390787727c4155c944b18a0db8ea9bbf85d5c10c51
SHA512 88e7c71ffe4fe8cb705e9017bfb111f8783bab81faf083f42715ea158b3aae18ee45a4f01c4b393736d93a391476a8afe9eb4950dc4b71d5cef9f3e1d44c5c6c

memory/2012-76-0x0000000000000000-mapping.dmp

memory/1716-77-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

memory/1672-80-0x0000000000000000-mapping.dmp

memory/1672-82-0x0000000001300000-0x0000000001414000-memory.dmp

memory/1492-83-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/1492-84-0x0000000002490000-0x00000000030DA000-memory.dmp

\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

memory/108-92-0x00000000004816BE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

memory/1556-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a4420c17d9dd2554657753384769d988
SHA1 0a7da382023d634c0828f8d27f1e914faeb608f9
SHA256 dd43dc176817b09f2a1b9cdccc063edaab6735b448e0f331f64fc01c7a76172e
SHA512 2bb48da2de645003350318e4d25b15b6b74550609e31ca5b6edfe383aadd4713e4299ea96210202501504f027062ff255390598da2bf6523a325e924c032a7fe

memory/1556-101-0x000000006EB50000-0x000000006F0FB000-memory.dmp

memory/108-102-0x0000000004BB5000-0x0000000004BC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 14:01

Reported

2022-03-27 16:58

Platform

win10v2004-en-20220113

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 1752 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe
PID 4708 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3040 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3016 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 3040 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 3040 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 4444 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Users\Admin\AppData\Local\Temp\sre\src.exe
PID 728 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 728 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\sre\src.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\sre\src.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe

"C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6980.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn src.exe /tr '"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"'

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

"C:\Users\Admin\AppData\Local\Temp\sre\src.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sre\src.exe'

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.248.5.254:80 tcp
NL 8.248.5.254:80 tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/1752-130-0x00000000006A0000-0x00000000007B4000-memory.dmp

memory/1752-131-0x0000000005170000-0x000000000520C000-memory.dmp

memory/1752-132-0x00000000057C0000-0x0000000005D64000-memory.dmp

memory/1752-133-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/1752-134-0x0000000005210000-0x000000000521A000-memory.dmp

memory/1752-135-0x0000000005440000-0x0000000005496000-memory.dmp

memory/4720-136-0x0000000000000000-mapping.dmp

memory/4736-137-0x0000000000000000-mapping.dmp

memory/4708-138-0x0000000000000000-mapping.dmp

memory/4708-139-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4708-141-0x0000000006360000-0x00000000063C6000-memory.dmp

memory/4708-142-0x0000000005013000-0x0000000005015000-memory.dmp

memory/2620-143-0x0000000000000000-mapping.dmp

memory/2620-144-0x0000000005010000-0x0000000005046000-memory.dmp

memory/2620-145-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/2620-146-0x0000000005720000-0x0000000005742000-memory.dmp

memory/2620-147-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/3016-148-0x0000000000000000-mapping.dmp

memory/3040-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6980.tmp.bat

MD5 38451202f50b7cf1d4678a9966f9d448
SHA1 b8a53b523393abd825a4231ed37d08cf38c32bbc
SHA256 d9124ded590b01abae8712e15ef4d54285f669bd2c67e400a3a2912be130ba2c
SHA512 ca588804845288fa6af398448bb135c3a1ee08d99ac5fdeb39e1321183cc12e49bbb3b4692acd16cc6a7ca43ef3e42fc7d33d0699d4a7ee317ba8dbb41a83eb8

memory/3140-151-0x0000000000000000-mapping.dmp

memory/4588-152-0x0000000000000000-mapping.dmp

memory/2620-153-0x00000000065F0000-0x000000000660E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

memory/4444-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

memory/2620-157-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

memory/2620-158-0x0000000071850000-0x000000007189C000-memory.dmp

memory/2620-159-0x00000000051A5000-0x00000000051A7000-memory.dmp

memory/2620-160-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

memory/2620-161-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/2620-162-0x00000000078F0000-0x000000000790A000-memory.dmp

memory/2620-163-0x0000000007960000-0x000000000796A000-memory.dmp

memory/2620-164-0x0000000007B70000-0x0000000007C06000-memory.dmp

memory/2620-165-0x0000000007B30000-0x0000000007B3E000-memory.dmp

memory/2620-166-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/2620-167-0x0000000007C20000-0x0000000007C28000-memory.dmp

memory/728-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sre\src.exe

MD5 6830019535eeca9c9fb9a28349c71ab8
SHA1 d256790b9bf99acdc5fe3fe97dda339a7ff6e502
SHA256 56057644240d78cbf74272e6ff8964e501cc76d7e4d803e0749f0f02bc538af9
SHA512 037e965770681b5a89577b72d2ebbeac1bd6b84ca98576228676dd328bbaa80262544532355db101be29fb8a6ef88a632180323d68973057f282e94e8182589d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\src.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/2068-172-0x0000000000000000-mapping.dmp

memory/728-173-0x0000000004FE3000-0x0000000004FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/728-175-0x0000000006EB0000-0x0000000006F00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d32cdaea3f61bc05ebb8e8a2bb4482f8
SHA1 4c51cb7429e4edd073aa1148535b44eaa4a82b31
SHA256 eea8db918dafa24b6312b67fd38c321dfd7bc9dd70aa2a91012480e463e6abae
SHA512 597f37391f25a97d6679743bb4574973095a713485cd80cb64b02d485d0f579cbf3bf756247b6d54ce3aa1712978827a148c09573a81e679d6da78dacbd21638

memory/2068-177-0x00000000048F5000-0x00000000048F7000-memory.dmp

memory/2068-178-0x0000000070230000-0x000000007027C000-memory.dmp