Analysis Overview
SHA256
4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019
Threat Level: Known bad
The file 4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019 was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Deletes itself
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
outlook_win_path
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 00:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 00:44
Reported
2022-04-15 01:02
Platform
win7-20220414-en
Max time kernel
50s
Max time network
45s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wewewewe.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe
"C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe
"C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.paminakids.com | udp |
| TR | 77.245.159.43:587 | mail.paminakids.com | tcp |
Files
memory/1976-55-0x00000000003C0000-0x00000000003D5000-memory.dmp
memory/1976-56-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/1392-57-0x0000000000000000-mapping.dmp
memory/1392-58-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1480-61-0x000000000051C750-mapping.dmp
memory/1480-63-0x0000000001E50000-0x0000000001ED6000-memory.dmp
memory/1480-64-0x0000000001E50000-0x0000000001ED6000-memory.dmp
memory/1784-76-0x0000000000000000-mapping.dmp
memory/1480-78-0x0000000004A65000-0x0000000004A76000-memory.dmp
memory/1480-79-0x0000000005EE0000-0x0000000005F1E000-memory.dmp
memory/1480-80-0x0000000005FE0000-0x0000000006070000-memory.dmp
memory/1784-81-0x000000006ECC0000-0x000000006F26B000-memory.dmp
memory/1784-82-0x0000000002350000-0x0000000002F9A000-memory.dmp
memory/1748-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6b849f60c7631eccf8743c0a14d29826 |
| SHA1 | 53c115af503df7872171fab9b4920dc383a7f8aa |
| SHA256 | 482cd905e40d4642c6078242c376cfa0448471999208e78e98764126c738846d |
| SHA512 | 23674dbf93aadb9cd3cfd0d5a8dadbb67974ca088ee9ba8c2cacbfdfbf73d7ffdf552f41e7e489c2b81c42da9d57fa08434317a486ff58ffd1a28520cdda529d |
memory/1748-86-0x000000006ECC0000-0x000000006F26B000-memory.dmp
memory/1748-87-0x0000000002460000-0x00000000030AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 00:44
Reported
2022-04-15 01:01
Platform
win10v2004-20220414-en
Max time kernel
52s
Max time network
72s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wewewewe.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe
"C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe
"C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\4b835db3e98b6d97d16c9d3929b770108e7ca059293fb29b11eff5958ef3a019.exe'
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.15:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
memory/2036-131-0x0000000000620000-0x0000000000635000-memory.dmp
memory/4888-132-0x0000000000000000-mapping.dmp
memory/4388-133-0x0000000000000000-mapping.dmp
memory/4388-134-0x0000000000B20000-0x0000000000BA6000-memory.dmp
memory/4388-135-0x0000000000B20000-0x0000000000BA6000-memory.dmp
memory/4388-137-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-136-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-139-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-138-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-140-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-141-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-143-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-142-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-145-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-144-0x0000000000B02000-0x0000000000B03000-memory.dmp
memory/4388-146-0x0000000004CF0000-0x0000000004D82000-memory.dmp
memory/4388-147-0x0000000005050000-0x00000000055F4000-memory.dmp
memory/4388-148-0x0000000005600000-0x0000000005666000-memory.dmp
memory/404-149-0x0000000000000000-mapping.dmp
memory/404-150-0x00000000021F0000-0x0000000002226000-memory.dmp
memory/404-151-0x0000000004F10000-0x0000000005538000-memory.dmp
memory/404-152-0x0000000004C70000-0x0000000004C92000-memory.dmp
memory/404-153-0x0000000004DD0000-0x0000000004E36000-memory.dmp
memory/404-154-0x0000000005B20000-0x0000000005B3E000-memory.dmp
memory/404-155-0x0000000007550000-0x0000000007BCA000-memory.dmp
memory/404-156-0x0000000006010000-0x000000000602A000-memory.dmp
memory/404-157-0x00000000048D5000-0x00000000048D7000-memory.dmp
memory/404-158-0x0000000006B70000-0x0000000006C06000-memory.dmp
memory/404-159-0x00000000060D0000-0x00000000060F2000-memory.dmp