Analysis Overview
SHA256
d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a
Threat Level: Known bad
The file d43a19e0d55377fea3acc08b3e9e1f7a964bf08da5b11c500217e184bd7cf79a was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger log file
MassLogger Main Payload
ReZer0 packer
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 02:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 02:04
Reported
2022-05-21 03:13
Platform
win7-20220414-en
Max time kernel
85s
Max time network
132s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1688 set thread context of 1792 | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | C:\Users\Admin\AppData\Local\Temp\order.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\order.exe
"C:\Users\Admin\AppData\Local\Temp\order.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUrNVd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55EE.tmp"
C:\Users\Admin\AppData\Local\Temp\order.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| US | 142.250.102.108:587 | smtp.gmail.com | tcp |
Files
memory/1688-54-0x0000000000E10000-0x0000000000F4E000-memory.dmp
memory/1688-55-0x0000000075E31000-0x0000000075E33000-memory.dmp
memory/1688-56-0x00000000004D0000-0x00000000004D8000-memory.dmp
memory/1688-57-0x00000000051C0000-0x0000000005278000-memory.dmp
memory/1220-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp55EE.tmp
| MD5 | 561cf94e4146ff3f2ddb6468333616b2 |
| SHA1 | 4a2733ed642d1274287578470e7e14a4a5818a2e |
| SHA256 | 6f36c64b5cef5e568cab1e621e973267e7204a52e653868dd778abfad170a283 |
| SHA512 | d829eec5197a4bd9f9d65649859d7df2e0508a6c7fd55a1ff6f35ab56b0de970060ae46536c821225acd6866676d89464d539be009b819667bb909101b77b927 |
memory/1688-60-0x0000000008070000-0x0000000008120000-memory.dmp
memory/1792-61-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-62-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-64-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-65-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-66-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-67-0x00000000004AB4EE-mapping.dmp
memory/1792-69-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-71-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-73-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-75-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-77-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-79-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-81-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-83-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-85-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-87-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-89-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-91-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-93-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-95-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-97-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-99-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-101-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-103-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-105-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-107-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-109-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-111-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-113-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-115-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-117-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-119-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-121-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-123-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1792-580-0x00000000003C0000-0x0000000000404000-memory.dmp
memory/1792-582-0x0000000004F95000-0x0000000004FA6000-memory.dmp
memory/1792-583-0x0000000000E00000-0x0000000000E14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 02:04
Reported
2022-05-21 03:13
Platform
win10v2004-20220414-en
Max time kernel
94s
Max time network
162s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4944 set thread context of 3332 | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | C:\Users\Admin\AppData\Local\Temp\order.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\order.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\order.exe
"C:\Users\Admin\AppData\Local\Temp\order.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUrNVd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA107.tmp"
C:\Users\Admin\AppData\Local\Temp\order.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| US | 142.250.102.108:587 | smtp.gmail.com | tcp |
Files
memory/4944-130-0x00000000000B0000-0x00000000001EE000-memory.dmp
memory/4944-131-0x0000000005060000-0x0000000005604000-memory.dmp
memory/4944-132-0x0000000004B90000-0x0000000004C22000-memory.dmp
memory/4944-133-0x0000000004D30000-0x0000000004D3A000-memory.dmp
memory/4944-134-0x0000000008DC0000-0x0000000008E5C000-memory.dmp
memory/4828-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA107.tmp
| MD5 | dc85c7adaa3656a6aa7cfb2732827cdc |
| SHA1 | 4e3b2b939d3a280f8f45f26b88aa7479594837be |
| SHA256 | 86a4e3343f3195df3cfffc87ad3a93d8d9088e15a88a0297a741a477cdaad115 |
| SHA512 | 30272421e4e6714aa394a0a1fbf2557e16037ccc88f046feb9012e4df67be1a1439f265edfc5ac8e2f692be93b01719add98fc32958f4ca46e1c03445a81f712 |
memory/3332-137-0x0000000000000000-mapping.dmp
memory/3332-138-0x0000000000400000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/3332-141-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-143-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-145-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-147-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-149-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-151-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-153-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-155-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-157-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-159-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-161-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-163-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-165-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-167-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-169-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-171-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-173-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-175-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-177-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-179-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-181-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-183-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-187-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-185-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-189-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-191-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-193-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-195-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-197-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-199-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-201-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3332-648-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/3332-649-0x0000000008690000-0x00000000086E0000-memory.dmp