Malware Analysis Report

2025-01-18 04:56

Sample ID 220414-qt6etseba3
Target 91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10
SHA256 91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10
Tags
masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10

Threat Level: Known bad

The file 91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10 was found to be: Known bad.

Malicious Activity Summary

masslogger collection spyware stealer

MassLogger Main Payload

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-14 13:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-14 13:34

Reported

2022-04-14 15:01

Platform

win7-20220331-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 1460 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1460-54-0x0000000000E00000-0x0000000000E9E000-memory.dmp

memory/1460-55-0x0000000006DE0000-0x0000000006F9E000-memory.dmp

memory/1460-56-0x0000000000B80000-0x0000000000C1A000-memory.dmp

memory/1460-57-0x0000000000490000-0x00000000004AC000-memory.dmp

memory/1384-58-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-61-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-64-0x0000000000481A3E-mapping.dmp

memory/1384-66-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-68-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1384-69-0x0000000004E25000-0x0000000004E36000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-14 13:34

Reported

2022-04-14 15:01

Platform

win10v2004-20220331-en

Max time kernel

154s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe
PID 2024 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe

"C:\Users\Admin\AppData\Local\Temp\91f31c820c62ae0a81cdc3951afc9087d458928e85124649655a11c9a1453a10.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.189.173.2:443 tcp
US 93.184.220.29:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
US 131.253.33.203:80 tcp
US 93.184.221.240:36320 ctldl.windowsupdate.com tcp
US 93.184.221.240:2837 ctldl.windowsupdate.com tcp
US 93.184.221.240:12535 ctldl.windowsupdate.com tcp
US 93.184.221.240:31363 ctldl.windowsupdate.com tcp
US 93.184.221.240:57096 ctldl.windowsupdate.com tcp
US 93.184.221.240:23437 ctldl.windowsupdate.com tcp
US 93.184.221.240:323 ctldl.windowsupdate.com tcp
US 93.184.221.240:28224 ctldl.windowsupdate.com tcp
US 93.184.221.240:3058 ctldl.windowsupdate.com tcp
US 93.184.221.240:49907 ctldl.windowsupdate.com tcp
US 93.184.221.240:62765 ctldl.windowsupdate.com tcp
US 93.184.221.240:42779 ctldl.windowsupdate.com tcp
US 93.184.221.240:55227 ctldl.windowsupdate.com tcp
US 93.184.221.240:38720 ctldl.windowsupdate.com tcp
US 93.184.221.240:8858 ctldl.windowsupdate.com tcp
US 93.184.221.240:8010 ctldl.windowsupdate.com tcp
US 93.184.221.240:63320 ctldl.windowsupdate.com tcp
US 93.184.221.240:5603 ctldl.windowsupdate.com tcp
US 93.184.221.240:31193 ctldl.windowsupdate.com tcp
US 93.184.221.240:14498 ctldl.windowsupdate.com tcp
US 93.184.221.240:64316 ctldl.windowsupdate.com tcp
US 93.184.221.240:8788 ctldl.windowsupdate.com tcp
US 93.184.221.240:21583 ctldl.windowsupdate.com tcp
US 93.184.221.240:63703 ctldl.windowsupdate.com tcp
US 93.184.221.240:43877 ctldl.windowsupdate.com tcp
US 93.184.221.240:8925 ctldl.windowsupdate.com tcp
US 93.184.221.240:21694 ctldl.windowsupdate.com tcp
US 93.184.221.240:16630 ctldl.windowsupdate.com tcp
US 93.184.221.240:48595 ctldl.windowsupdate.com tcp
US 93.184.221.240:35580 ctldl.windowsupdate.com tcp
US 93.184.221.240:15130 ctldl.windowsupdate.com tcp
US 93.184.221.240:30403 ctldl.windowsupdate.com tcp
US 93.184.221.240:29763 ctldl.windowsupdate.com tcp
US 93.184.221.240:32247 ctldl.windowsupdate.com tcp
US 93.184.221.240:12798 ctldl.windowsupdate.com tcp
US 93.184.221.240:64692 ctldl.windowsupdate.com tcp
US 93.184.221.240:52726 ctldl.windowsupdate.com tcp
US 93.184.221.240:167 ctldl.windowsupdate.com tcp
US 93.184.221.240:25365 ctldl.windowsupdate.com tcp
US 93.184.221.240:39168 ctldl.windowsupdate.com tcp
US 93.184.221.240:36696 ctldl.windowsupdate.com tcp

Files

memory/2024-124-0x0000000000220000-0x00000000002BE000-memory.dmp

memory/2024-125-0x00000000099F0000-0x0000000009F94000-memory.dmp

memory/2024-126-0x0000000004E00000-0x0000000004E92000-memory.dmp

memory/2024-127-0x00000000007F0000-0x00000000007FA000-memory.dmp

memory/2024-128-0x00000000057D0000-0x0000000005846000-memory.dmp

memory/2024-129-0x0000000000C90000-0x0000000000CAE000-memory.dmp

memory/3996-130-0x0000000000000000-mapping.dmp

memory/3996-131-0x0000000000400000-0x0000000000486000-memory.dmp