Malware Analysis Report

2025-01-18 04:56

Sample ID 220415-pkyg7acab9
Target 868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0
SHA256 868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0
Tags
persistence masslogger collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0

Threat Level: Known bad

The file 868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0 was found to be: Known bad.

Malicious Activity Summary

persistence masslogger collection spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 12:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 12:23

Reported

2022-04-15 12:27

Platform

win7-20220414-en

Max time kernel

55s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1664 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

Network

N/A

Files

memory/1664-54-0x0000000000210000-0x00000000004E4000-memory.dmp

memory/1664-55-0x00000000022E0000-0x0000000002370000-memory.dmp

memory/1664-56-0x0000000000790000-0x00000000007AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 12:23

Reported

2022-04-15 12:26

Platform

win10v2004-en-20220113

Max time kernel

135s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
PID 1948 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 mail.sbrenind.com udp

Files

memory/1948-130-0x00000000005E0000-0x00000000008B4000-memory.dmp

memory/1472-131-0x0000000000000000-mapping.dmp

memory/3296-132-0x0000000000000000-mapping.dmp

memory/3296-133-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3296-135-0x0000000005BC0000-0x0000000005C52000-memory.dmp

memory/3296-136-0x0000000006210000-0x00000000067B4000-memory.dmp

memory/3296-137-0x00000000069C0000-0x0000000006A26000-memory.dmp

memory/3296-138-0x00000000071A0000-0x00000000071F0000-memory.dmp

memory/3296-139-0x0000000007300000-0x000000000730A000-memory.dmp

memory/3296-140-0x00000000073D0000-0x000000000746C000-memory.dmp

memory/3296-141-0x0000000005843000-0x0000000005845000-memory.dmp