Malware Analysis Report

2025-01-18 04:59

Sample ID 220330-clvrgaeef7
Target 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51

Threat Level: Known bad

The file 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-30 02:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-30 02:10

Reported

2022-04-01 08:37

Platform

win7-20220331-en

Max time kernel

98s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 792 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 792 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 792 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1260 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1260 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1260 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1260 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1260 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 1404 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe

"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1E0.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/1740-54-0x00000000013E0000-0x00000000014B4000-memory.dmp

memory/1740-55-0x0000000000540000-0x00000000005A6000-memory.dmp

memory/1740-56-0x0000000006090000-0x0000000006116000-memory.dmp

memory/1856-57-0x0000000000000000-mapping.dmp

memory/1856-58-0x0000000075B01000-0x0000000075B03000-memory.dmp

memory/792-59-0x0000000000000000-mapping.dmp

memory/1260-60-0x0000000000000000-mapping.dmp

memory/1364-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1E0.tmp.bat

MD5 09671ede91bbecce2fbe8b1773f508ea
SHA1 a661aec7c55dd9824bf6f6697a7dd0a9024c79f4
SHA256 3c03d7e345dbe08eeedc1409c2c9612c03e2092ac2e4d88e0a8f8e0fcf166ecc
SHA512 97de6d157a301d656f95b1c516e31112691cadde20f240a581a5b9874a67af3931443a766d7013860946f009d86cc0d650d31b22c32c7cecd8ae092bf326fe8d

memory/1740-63-0x0000000004EF5000-0x0000000004F06000-memory.dmp

memory/1896-64-0x0000000000000000-mapping.dmp

memory/1856-65-0x000000006F160000-0x000000006F70B000-memory.dmp

\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 a53df39071210ff353e46de71eb36dc6
SHA1 3988e9828dffc4a2353bd8cfbabb161d0a896ac3
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA512 c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 a53df39071210ff353e46de71eb36dc6
SHA1 3988e9828dffc4a2353bd8cfbabb161d0a896ac3
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA512 c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c

memory/1404-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 a53df39071210ff353e46de71eb36dc6
SHA1 3988e9828dffc4a2353bd8cfbabb161d0a896ac3
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA512 c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c

memory/1404-70-0x00000000003D0000-0x00000000004A4000-memory.dmp

memory/1472-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 7fa5bce1d97448d218fc93b60ca6b60c
SHA1 5dad94ebffb228328669fb945b5e82eaaa979ec3
SHA256 9a14e12c374bdd04f1930d174aa2f97605cd34e6f23ef135cf9cd202d6a6ba9e
SHA512 ac43fe22d5274e9c9daf6fea3fb16c3f290f74aeb8a170338aa75296ff15a7e2a156d9dcb6c9ff06f29e5cd0a0058649798f4dddedf4cf7fbde108d676b26cf3

memory/1404-74-0x0000000004DF5000-0x0000000004E06000-memory.dmp

memory/1472-75-0x000000006ED20000-0x000000006F2CB000-memory.dmp

memory/1472-76-0x00000000025A0000-0x00000000031EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-30 02:10

Reported

2022-04-01 08:37

Platform

win10v2004-20220331-en

Max time kernel

66s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4856 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4856 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3188 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3188 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3188 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4856 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 4856 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 4856 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe
PID 4600 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe

"C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CDE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn nslookup.exe /tr '"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"'

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

"C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe'

Network

Country Destination Domain Proto
FI 62.115.252.112:80 tcp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/4332-124-0x0000000000A50000-0x0000000000B24000-memory.dmp

memory/4332-125-0x0000000005B10000-0x00000000060B4000-memory.dmp

memory/4332-126-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/4332-127-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/4332-128-0x0000000008DC0000-0x0000000008E26000-memory.dmp

memory/4780-129-0x0000000000000000-mapping.dmp

memory/4332-130-0x0000000008ED0000-0x0000000008F6C000-memory.dmp

memory/4780-131-0x0000000004E90000-0x0000000004EC6000-memory.dmp

memory/4780-132-0x0000000005500000-0x0000000005B28000-memory.dmp

memory/4780-133-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

memory/3188-134-0x0000000000000000-mapping.dmp

memory/4856-136-0x0000000000000000-mapping.dmp

memory/4780-135-0x0000000005D70000-0x0000000005DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1CDE.tmp.bat

MD5 46f5ec22e554b087ec71f2b88eb03096
SHA1 88dd07f136c6d4270f07d0675c75cacf4f3e281c
SHA256 5a56925aeda43b232d1629cc27d49f6b2a69c1f7ce4331233ef6cca89f1574aa
SHA512 5e9de1ad013ff898749d68d2a556ef9712f99737ed321cee120c9371eef4a5830efe4991e71d2c39fdf1c7f0d49c2b782e3e81ac1fed46ed61da5f2df9e2bc51

memory/4048-139-0x0000000000000000-mapping.dmp

memory/4332-138-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/4076-140-0x0000000000000000-mapping.dmp

memory/4780-141-0x0000000006410000-0x000000000642E000-memory.dmp

memory/4780-142-0x0000000004E85000-0x0000000004E87000-memory.dmp

memory/4780-143-0x00000000075D0000-0x0000000007602000-memory.dmp

memory/4780-144-0x0000000074FA0000-0x0000000074FEC000-memory.dmp

memory/4780-145-0x00000000069D0000-0x00000000069EE000-memory.dmp

memory/4600-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 a53df39071210ff353e46de71eb36dc6
SHA1 3988e9828dffc4a2353bd8cfbabb161d0a896ac3
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA512 c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c

C:\Users\Admin\AppData\Roaming\mscasey\nslookup.exe

MD5 a53df39071210ff353e46de71eb36dc6
SHA1 3988e9828dffc4a2353bd8cfbabb161d0a896ac3
SHA256 331bbdf8a4653e6bbdb2011a6b89099e2148a15fe44221d9852f7117b8105a51
SHA512 c82f198639e26a7efa1e2d7a95d865a95bbc74f6df621f3944a07b511107cbec24616ffa763b525ea0eec466f51a42b2923d2f52a18e8d40412a6d46b76d680c

memory/4780-149-0x0000000007D50000-0x00000000083CA000-memory.dmp

memory/4780-150-0x0000000007710000-0x000000000772A000-memory.dmp

memory/4780-151-0x0000000007780000-0x000000000778A000-memory.dmp

memory/4780-152-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/4780-153-0x0000000007950000-0x000000000795E000-memory.dmp

memory/4780-154-0x0000000007A70000-0x0000000007A8A000-memory.dmp

memory/4780-155-0x00000000079A0000-0x00000000079A8000-memory.dmp

memory/4152-156-0x0000000000000000-mapping.dmp

memory/4600-157-0x00000000083E0000-0x0000000008430000-memory.dmp

memory/4600-158-0x0000000004A90000-0x0000000005034000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b23683240d23789d77e84064876c0f41
SHA1 9a4df5d436c02fae455ed63b821d49f2c296d0af
SHA256 40021eda3181be20eb82ea9af4e4c4dc5413f56b0e9aa8c312626dd9e6043ee7
SHA512 d17c5820bf4fbf3146ce350541e7f5c2188deef36eabd8ed15bfb67af38936d2e9fa80aac19b7d14036b1f5a1994d4d70a4c6489d331b90a369fee338e5fd543

memory/4152-160-0x0000000004B65000-0x0000000004B67000-memory.dmp

memory/4152-161-0x000000006FF10000-0x000000006FF5C000-memory.dmp