Analysis Overview
SHA256
fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4
Threat Level: Known bad
The file fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4 was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 00:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 00:47
Reported
2022-04-15 01:06
Platform
win7-20220414-en
Max time kernel
44s
Max time network
117s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"
C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
"C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.232.242.170:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | bh-58.webhostbox.net | udp |
| US | 199.79.63.24:587 | bh-58.webhostbox.net | tcp |
Files
memory/1260-54-0x0000000000B50000-0x0000000000BF6000-memory.dmp
memory/1160-55-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-56-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-58-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-59-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-61-0x000000000048140E-mapping.dmp
memory/1160-60-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-63-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1160-65-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2044-66-0x0000000000000000-mapping.dmp
memory/936-67-0x0000000000000000-mapping.dmp
memory/1296-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 366e3c080ecfdf6882c6a40ed7ce2667 |
| SHA1 | 54acfcce862f6a8313692623f3b6d4020b671edf |
| SHA256 | fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4 |
| SHA512 | e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2 |
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 366e3c080ecfdf6882c6a40ed7ce2667 |
| SHA1 | 54acfcce862f6a8313692623f3b6d4020b671edf |
| SHA256 | fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4 |
| SHA512 | e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2 |
memory/676-71-0x0000000000000000-mapping.dmp
memory/888-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
| MD5 | bfcbf382f036462e63f307ca4ae280c7 |
| SHA1 | ffe98d15fa5ea205220d6bc105e317253a6ea003 |
| SHA256 | 2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727 |
| SHA512 | 1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16 |
memory/824-74-0x0000000000000000-mapping.dmp
memory/1896-75-0x0000000000000000-mapping.dmp
memory/1896-76-0x00000000753C1000-0x00000000753C3000-memory.dmp
memory/1160-78-0x0000000005140000-0x000000000517E000-memory.dmp
memory/1160-77-0x00000000006B5000-0x00000000006C6000-memory.dmp
memory/1160-79-0x0000000006350000-0x00000000063E0000-memory.dmp
memory/1896-80-0x0000000070780000-0x0000000070D2B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 00:47
Reported
2022-04-15 01:05
Platform
win10v2004-20220414-en
Max time kernel
106s
Max time network
130s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
"C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"
C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe
"C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | bh-58.webhostbox.net | udp |
| US | 199.79.63.24:587 | bh-58.webhostbox.net | tcp |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/1484-130-0x0000000000E90000-0x0000000000F36000-memory.dmp
memory/1484-131-0x0000000005910000-0x00000000059AC000-memory.dmp
memory/940-132-0x0000000000000000-mapping.dmp
memory/940-134-0x0000000000510000-0x0000000000596000-memory.dmp
memory/1636-135-0x0000000000000000-mapping.dmp
memory/2256-136-0x0000000000000000-mapping.dmp
memory/3304-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 366e3c080ecfdf6882c6a40ed7ce2667 |
| SHA1 | 54acfcce862f6a8313692623f3b6d4020b671edf |
| SHA256 | fc10ffaccc0a45c6c884dccd218af7afe3fefcccd8973f5aa50b23fba05d3ca4 |
| SHA512 | e4f0574b200facfe486484b1783096869ce52005659fcbd2557d9e830753597d320155baf4e5fa053a0da0f0aeba45220e6ff7e5d31c35ae9d5831cc5a0076b2 |
memory/3788-139-0x0000000000000000-mapping.dmp
memory/4992-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
| MD5 | bfcbf382f036462e63f307ca4ae280c7 |
| SHA1 | ffe98d15fa5ea205220d6bc105e317253a6ea003 |
| SHA256 | 2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727 |
| SHA512 | 1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16 |
memory/2220-142-0x0000000000000000-mapping.dmp
memory/940-143-0x0000000004CF0000-0x0000000004D82000-memory.dmp
memory/940-144-0x0000000005340000-0x00000000058E4000-memory.dmp
memory/940-145-0x0000000005F50000-0x0000000005FB6000-memory.dmp
memory/2060-146-0x0000000000000000-mapping.dmp
memory/940-147-0x00000000066B0000-0x00000000066BA000-memory.dmp
memory/2060-149-0x00000000051D0000-0x0000000005206000-memory.dmp
memory/940-148-0x0000000006760000-0x00000000067B0000-memory.dmp
memory/2060-150-0x0000000005880000-0x0000000005EA8000-memory.dmp
memory/2060-151-0x0000000005FF0000-0x0000000006012000-memory.dmp
memory/940-152-0x00000000049C3000-0x00000000049C5000-memory.dmp
memory/2060-153-0x0000000006190000-0x00000000061F6000-memory.dmp
memory/2060-154-0x0000000006780000-0x000000000679E000-memory.dmp
memory/2060-155-0x0000000007960000-0x0000000007992000-memory.dmp
memory/2060-156-0x00000000713B0000-0x00000000713FC000-memory.dmp
memory/2060-157-0x0000000006D20000-0x0000000006D3E000-memory.dmp
memory/2060-159-0x00000000080D0000-0x000000000874A000-memory.dmp
memory/2060-158-0x0000000005245000-0x0000000005247000-memory.dmp
memory/2060-160-0x0000000007A90000-0x0000000007AAA000-memory.dmp
memory/2060-161-0x0000000007B00000-0x0000000007B0A000-memory.dmp
memory/2060-162-0x0000000007D10000-0x0000000007DA6000-memory.dmp
memory/2060-163-0x0000000007CC0000-0x0000000007CCE000-memory.dmp
memory/2060-164-0x0000000007DD0000-0x0000000007DEA000-memory.dmp
memory/2060-165-0x0000000007DB0000-0x0000000007DB8000-memory.dmp